Affects PMD Version:
6.30.0
Rule:
VfUnescapeEl
https://pmd.github.io/pmd-6.30.0/pmd_rules_vf_security.html#vfunescapeel
Description:
VF has a ton of built-in methods. Some are invulnerable to XSS, but use of these methods still triggers false positives, even when the proper escape function is used.
Code Sample demonstrating the issue:
<apex:page showHeader="true" sidebar="true" standardController="testObj__c">
<script>
console.log({!IF(testObj__c.Text__c == 'foo', 'bar', 'baz')});
console.log({!IF(BEGINS(testObj__c.Text__c, 'foo'), JSENCODE(testObj__c.Xss__c), 'bar')});
console.log({!CASE(testObj__c.Name, testObj__c.Text__c, 'res1', 'else-res')});
console.log({!CASE(testObj__c.Name, 'val1', JSENCODE(testObj__c.Text__c), 'else-res')});
</script>
</apex:page>
Expected outcome:
Currently, all of these lines are incorrectly determined to violate VfUnescapeEl. All are false positives.
Line 1 is immune to XSS because the vulnerable condition is evaluated on the server and the only possible returns are literals.
Line 2 is immune to XSS because BEGINS returns an inherently safe boolean, and the identifier in the second parameter is JSENCODE'd.
Line 3 is immune to XSS because the only possible returns are 'res1' and 'else-res'.
Line 4 is immune to XSS because the returnable identifier testObj__c.Text__c is wrapped in JSENCODE.
Running PMD through: [CLI]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4