Merge pull request #18607 from owen-mc/java/xss-content-type-sanitizer

owen-mc · web-flow · commit 74a249597a18 · 2025-02-24T23:39:18.000Z
Java: Add XSS Sanitizer for `HttpServletResponse.setContentType` with safe values
diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -315,6 +315,16 @@ class ResponseSetHeaderMethod extends Method {
   }
 }
 
+/**
+ * The method `setContentType` declared in `javax.servlet.http.HttpServletResponse`.
+ */
+class ResponseSetContentTypeMethod extends Method {
+  ResponseSetContentTypeMethod() {
+    this.getDeclaringType() instanceof ServletResponse and
+    this.hasName("setContentType")
+  }
+}
+
 /**
  * A class that has `javax.servlet.Servlet` as an ancestor.
  */
diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -92,9 +92,25 @@ private class WritingMethod extends Method {
 /** An output stream or writer that writes to a servlet, JSP or JSF response. */
 class XssVulnerableWriterSource extends MethodCall {
   XssVulnerableWriterSource() {
-    this.getMethod() instanceof ServletResponseGetWriterMethod
-    or
-    this.getMethod() instanceof ServletResponseGetOutputStreamMethod
+    (
+      this.getMethod() instanceof ServletResponseGetWriterMethod
+      or
+      this.getMethod() instanceof ServletResponseGetOutputStreamMethod
+    ) and
+    not exists(MethodCall mc, Expr contentType |
+      mc.getMethod() instanceof ResponseSetContentTypeMethod and
+      contentType = mc.getArgument(0)
+      or
+      (
+        mc.getMethod() instanceof ResponseAddHeaderMethod or
+        mc.getMethod() instanceof ResponseSetHeaderMethod
+      ) and
+      mc.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() = "content-type" and
+      contentType = mc.getArgument(1)
+    |
+      isXssSafeContentTypeString(contentType.(CompileTimeConstantExpr).getStringValue()) and
+      DataFlow::localExprFlow(mc.getQualifier(), this.getQualifier())
+    )
     or
     exists(Method m | m = this.getMethod() |
       m.hasQualifiedName("javax.servlet.jsp", "JspContext", "getOut")
@@ -106,6 +122,11 @@ class XssVulnerableWriterSource extends MethodCall {
   }
 }
 
+pragma[nomagic]
+private predicate isXssSafeContentTypeString(string s) {
+  s = any(CompileTimeConstantExpr cte).getStringValue() and isXssSafeContentType(s)
+}
+
 /**
  * A xss vulnerable writer source node.
  */
diff --git a/java/ql/src/change-notes/2025-01-28-fix-xss-content-type-safe.md b/java/ql/src/change-notes/2025-01-28-fix-xss-content-type-safe.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Fixed false positive alerts in the java query "Cross-site scripting" (`java/xss`) when `javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable.
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
@@ -19,18 +19,18 @@ public static Response specificContentType(boolean safeContentType, boolean chai
     if(!safeContentType) {
       if(chainDirectly) {
         if(contentTypeFirst)
-          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
         else
-          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $xss
+          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss
       }
       else {
         if(contentTypeFirst) {
           Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
-          return builder2.entity(userControlled).build(); // $xss
+          return builder2.entity(userControlled).build(); // $ xss
         }
         else {
           Response.ResponseBuilder builder2 = builder.entity(userControlled);
-          return builder2.type(MediaType.TEXT_HTML).build(); // $xss
+          return builder2.type(MediaType.TEXT_HTML).build(); // $ xss
         }
       }
     }
@@ -105,39 +105,39 @@ else if(route == 8) {
     else {
       if(route == 0) {
         // via ok, as a string literal:
-        return Response.ok("text/html").entity(userControlled).build(); // $xss
+        return Response.ok("text/html").entity(userControlled).build(); // $ xss
       }
       else if(route == 1) {
         // via ok, as a string constant:
-        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
       }
       else if(route == 2) {
         // via ok, as a MediaType constant:
-        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $xss
+        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss
       }
       else if(route == 3) {
         // via ok, as a Variant, via constructor:
-        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
+        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
       }
       else if(route == 4) {
         // via ok, as a Variant, via static method:
-        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
+        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
       }
       else if(route == 5) {
         // via ok, as a Variant, via instance method:
-        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
+        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
       }
       else if(route == 6) {
         // via builder variant, before entity:
-        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
+        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
       }
       else if(route == 7) {
         // via builder variant, after entity:
-        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $xss
+        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss
       }
       else if(route == 8) {
         // provide entity via ok, then content-type via builder:
-        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $xss
+        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss
       }
     }
 
@@ -162,27 +162,27 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled)
 
   @GET @Produces(MediaType.TEXT_HTML)
   public static Response methodContentTypeUnsafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
   }
 
   @POST @Produces(MediaType.TEXT_HTML)
   public static Response methodContentTypeUnsafePost(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
   }
 
   @GET @Produces("text/html")
   public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
   }
 
   @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
   public static Response methodContentTypeMaybeSafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
   }
 
   @GET @Produces(MediaType.APPLICATION_JSON)
   public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
   }
 
   @GET @Produces(MediaType.TEXT_HTML)
@@ -205,12 +205,12 @@ public String testDirectReturn(String userControlled) {
 
     @GET @Produces({"text/html"})
     public Response overridesWithUnsafe(String userControlled) {
-      return Response.ok(userControlled).build(); // $xss
+      return Response.ok(userControlled).build(); // $ xss
     }
 
     @GET
     public Response overridesWithUnsafe2(String userControlled) {
-      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
     }
   }
 
@@ -219,12 +219,12 @@ public Response overridesWithUnsafe2(String userControlled) {
   public static class ClassContentTypeUnsafe {
     @GET
     public Response test(String userControlled) {
-      return Response.ok(userControlled).build(); // $xss
+      return Response.ok(userControlled).build(); // $ xss
     }
 
     @GET
     public String testDirectReturn(String userControlled) {
-      return userControlled; // $xss
+      return userControlled; // $ xss
     }
 
     @GET @Produces({"application/json"})
@@ -240,12 +240,12 @@ public Response overridesWithSafe2(String userControlled) {
 
   @GET
   public static Response entityWithNoMediaType(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
   }
 
   @GET
   public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $xss
+    return userControlled; // $ xss
   }
 
-}
+}
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
@@ -26,7 +26,7 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws
         writer.write("(function(){");
         writer.write("dswh.init('" + windowId + "','"
                 + "......" + "',"
-                + -1 + ",{"); // $xss
+                + -1 + ",{"); // $ xss
         writer.write("});");
         writer.write("})();");
         writer.write("</script>");
@@ -57,13 +57,13 @@ public void testAllSources(FacesContext facesContext) throws IOException
     {
         ExternalContext ec = facesContext.getExternalContext();
         ResponseWriter writer = facesContext.getResponseWriter();
-        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $xss
-        writer.write(ec.getRequestParameterNames().next()); // $xss
-        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $xss
-        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $xss
-        writer.write(ec.getRequestPathInfo()); // $xss
-        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $xss
-        writer.write(ec.getRequestHeaderMap().get("someKey")); // $xss
-        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $xss
+        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss
+        writer.write(ec.getRequestParameterNames().next()); // $ xss
+        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss
+        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss
+        writer.write(ec.getRequestPathInfo()); // $ xss
+        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss
+        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss
+        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss
     }
 }
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java
@@ -6,7 +6,7 @@
 public class SetJavascriptEnabled {
     public static void configureWebViewUnsafe(WebView view) {
         WebSettings settings = view.getSettings();
-        settings.setJavaScriptEnabled(true); // $javascriptEnabled
+        settings.setJavaScriptEnabled(true); // $ javascriptEnabled
     }
 
     public static void configureWebViewSafe(WebView view) {
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -17,13 +17,13 @@ public static ResponseEntity<String> specificContentType(boolean safeContentType
 
     ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
 
-    if(safeContentType) {
+    if(!safeContentType) {
       if(chainDirectly) {
-        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
       }
       else {
         ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
-        return builder2.body(userControlled); // $xss
+        return builder2.body(userControlled); // $ xss
       }
     }
     else {
@@ -60,22 +60,22 @@ public static ResponseEntity<String> methodContentTypeSafeStringLiteral(String u
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
   public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
   }
 
   @GetMapping(value = "/xyz", produces = "text/html")
   public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
   }
 
   @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
   public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
   public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -88,13 +88,13 @@ public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(St
     // Also try out some alternative constructors for the ResponseEntity:
     switch(constructionMethod) {
       case 0:
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
       case 1:
-      return ResponseEntity.of(Optional.of(userControlled)); // $xss
+      return ResponseEntity.of(Optional.of(userControlled)); // $ xss
       case 2:
-      return ResponseEntity.ok().body(userControlled); // $xss
+      return ResponseEntity.ok().body(userControlled); // $ xss
       case 3:
-      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $xss
+      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
       default:
       return null;
     }
@@ -115,12 +115,12 @@ public String testDirectReturn(String userControlled) {
 
     @GetMapping(value = "/xyz", produces = {"text/html"})
     public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
     }
 
     @GetMapping(value = "/abc")
     public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
     }
   }
 
@@ -129,12 +129,12 @@ public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
   private static class ClassContentTypeUnsafe {
     @GetMapping(value = "/abc")
     public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
     }
 
     @GetMapping(value = "/abc")
     public String testDirectReturn(String userControlled) {
-      return userControlled; // $xss
+      return userControlled; // $ xss
     }
 
     @GetMapping(value = "/xyz", produces = {"application/json"})
@@ -150,12 +150,12 @@ public ResponseEntity<String> overridesWithSafe2(String userControlled) {
 
   @GetMapping(value = "/abc")
   public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
   }
 
   @GetMapping(value = "/abc")
   public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $xss
+    return userControlled; // $ xss
   }
 
   @GetMapping(value = "/abc")
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: majorAnalysis
 +---
 +* Fixed false positive alerts in the java query "Cross-site scripting" (`java/xss`) when `javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable.
Original file line number	Diff line number	Diff line change
`@@ -19,18 +19,18 @@ public static Response specificContentType(boolean safeContentType, boolean chai`
`19`	`19`	`if(!safeContentType) {`
`20`	`20`	`if(chainDirectly) {`
`21`	`21`	`if(contentTypeFirst)`
`22`		`- return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss`
	`22`	`+ return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
`23`	`23`	`else`
`24`		`- return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $xss`
	`24`	`+ return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss`
`25`	`25`	`}`
`26`	`26`	`else {`
`27`	`27`	`if(contentTypeFirst) {`
`28`	`28`	`Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);`
`29`		`- return builder2.entity(userControlled).build(); // $xss`
	`29`	`+ return builder2.entity(userControlled).build(); // $ xss`
`30`	`30`	`}`
`31`	`31`	`else {`
`32`	`32`	`Response.ResponseBuilder builder2 = builder.entity(userControlled);`
`33`		`- return builder2.type(MediaType.TEXT_HTML).build(); // $xss`
	`33`	`+ return builder2.type(MediaType.TEXT_HTML).build(); // $ xss`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`	`}`
`@@ -105,39 +105,39 @@ else if(route == 8) {`
`105`	`105`	`else {`
`106`	`106`	`if(route == 0) {`
`107`	`107`	`// via ok, as a string literal:`
`108`		`- return Response.ok("text/html").entity(userControlled).build(); // $xss`
	`108`	`+ return Response.ok("text/html").entity(userControlled).build(); // $ xss`
`109`	`109`	`}`
`110`	`110`	`else if(route == 1) {`
`111`	`111`	`// via ok, as a string constant:`
`112`		`- return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss`
	`112`	`+ return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
`113`	`113`	`}`
`114`	`114`	`else if(route == 2) {`
`115`	`115`	`// via ok, as a MediaType constant:`
`116`		`- return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $xss`
	`116`	`+ return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss`
`117`	`117`	`}`
`118`	`118`	`else if(route == 3) {`
`119`	`119`	`// via ok, as a Variant, via constructor:`
`120`		`- return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss`
	`120`	`+ return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss`
`121`	`121`	`}`
`122`	`122`	`else if(route == 4) {`
`123`	`123`	`// via ok, as a Variant, via static method:`
`124`		`- return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss`
	`124`	`+ return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss`
`125`	`125`	`}`
`126`	`126`	`else if(route == 5) {`
`127`	`127`	`// via ok, as a Variant, via instance method:`
`128`		`- return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss`
	`128`	`+ return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss`
`129`	`129`	`}`
`130`	`130`	`else if(route == 6) {`
`131`	`131`	`// via builder variant, before entity:`
`132`		`- return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss`
	`132`	`+ return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss`
`133`	`133`	`}`
`134`	`134`	`else if(route == 7) {`
`135`	`135`	`// via builder variant, after entity:`
`136`		`- return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $xss`
	`136`	`+ return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss`
`137`	`137`	`}`
`138`	`138`	`else if(route == 8) {`
`139`	`139`	`// provide entity via ok, then content-type via builder:`
`140`		`- return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $xss`
	`140`	`+ return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss`
`141`	`141`	`}`
`142`	`142`	`}`
`143`	`143`
`@@ -162,27 +162,27 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled)`
`162`	`162`
`163`	`163`	`@GET @Produces(MediaType.TEXT_HTML)`
`164`	`164`	`public static Response methodContentTypeUnsafe(String userControlled) {`
`165`		`- return Response.ok(userControlled).build(); // $xss`
	`165`	`+ return Response.ok(userControlled).build(); // $ xss`
`166`	`166`	`}`
`167`	`167`
`168`	`168`	`@POST @Produces(MediaType.TEXT_HTML)`
`169`	`169`	`public static Response methodContentTypeUnsafePost(String userControlled) {`
`170`		`- return Response.ok(userControlled).build(); // $xss`
	`170`	`+ return Response.ok(userControlled).build(); // $ xss`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	`@GET @Produces("text/html")`
`174`	`174`	`public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {`
`175`		`- return Response.ok(userControlled).build(); // $xss`
	`175`	`+ return Response.ok(userControlled).build(); // $ xss`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})`
`179`	`179`	`public static Response methodContentTypeMaybeSafe(String userControlled) {`
`180`		`- return Response.ok(userControlled).build(); // $xss`
	`180`	`+ return Response.ok(userControlled).build(); // $ xss`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`@GET @Produces(MediaType.APPLICATION_JSON)`
`184`	`184`	`public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {`
`185`		`- return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss`
	`185`	`+ return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`@GET @Produces(MediaType.TEXT_HTML)`
`@@ -205,12 +205,12 @@ public String testDirectReturn(String userControlled) {`
`205`	`205`
`206`	`206`	`@GET @Produces({"text/html"})`
`207`	`207`	`public Response overridesWithUnsafe(String userControlled) {`
`208`		`- return Response.ok(userControlled).build(); // $xss`
	`208`	`+ return Response.ok(userControlled).build(); // $ xss`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`@GET`
`212`	`212`	`public Response overridesWithUnsafe2(String userControlled) {`
`213`		`- return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss`
	`213`	`+ return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
`214`	`214`	`}`
`215`	`215`	`}`
`216`	`216`
`@@ -219,12 +219,12 @@ public Response overridesWithUnsafe2(String userControlled) {`
`219`	`219`	`public static class ClassContentTypeUnsafe {`
`220`	`220`	`@GET`
`221`	`221`	`public Response test(String userControlled) {`
`222`		`- return Response.ok(userControlled).build(); // $xss`
	`222`	`+ return Response.ok(userControlled).build(); // $ xss`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`@GET`
`226`	`226`	`public String testDirectReturn(String userControlled) {`
`227`		`- return userControlled; // $xss`
	`227`	`+ return userControlled; // $ xss`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`@GET @Produces({"application/json"})`
`@@ -240,12 +240,12 @@ public Response overridesWithSafe2(String userControlled) {`
`240`	`240`
`241`	`241`	`@GET`
`242`	`242`	`public static Response entityWithNoMediaType(String userControlled) {`
`243`		`- return Response.ok(userControlled).build(); // $xss`
	`243`	`+ return Response.ok(userControlled).build(); // $ xss`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`@GET`
`247`	`247`	`public static String stringWithNoMediaType(String userControlled) {`
`248`		`- return userControlled; // $xss`
	`248`	`+ return userControlled; // $ xss`
`249`	`249`	`}`
`250`	`250`
`251`		`-}`
	`251`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`public class SetJavascriptEnabled {`
`7`	`7`	`public static void configureWebViewUnsafe(WebView view) {`
`8`	`8`	`WebSettings settings = view.getSettings();`
`9`		`- settings.setJavaScriptEnabled(true); // $javascriptEnabled`
	`9`	`+ settings.setJavaScriptEnabled(true); // $ javascriptEnabled`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`public static void configureWebViewSafe(WebView view) {`