Update documentation

https://github.com/pmd/pmd/runs/501317621 b629e26041...221c9e785e
2021-01-21 14:40:45 +00:00
parent 3bd8db5926
commit 24b0298d89
5 changed files with 59 additions and 5 deletions
--- a/feed.xml
+++ b/feed.xml
@@ -5,8 +5,8 @@
        <description>Intended as a documentation theme based on Jekyll for technical writers documenting software and other technical products, this theme has all the elements you would need to handle multiple products with both multi-level sidebar navigation, tags, and other documentation features.</description>
        <link>https://pmd.github.io/pmd/</link>
        <atom:link href="https://pmd.github.io/pmd/feed.xml" rel="self" type="application/rss+xml"/>
-        <pubDate>Thu, 21 Jan 2021 11:18:23 +0000</pubDate>
-        <lastBuildDate>Thu, 21 Jan 2021 11:18:23 +0000</lastBuildDate>
+        <pubDate>Thu, 21 Jan 2021 14:38:07 +0000</pubDate>
+        <lastBuildDate>Thu, 21 Jan 2021 14:38:07 +0000</lastBuildDate>
        <generator>Jekyll v3.9.0</generator>
        
    </channel>
--- a/pmd_release_notes.html
+++ b/pmd_release_notes.html
@@ -1422,9 +1422,15 @@ introduced with PMD 6.30.0 for C# and is now available for C++ as well. See <a h
 <h4 id="new-rules">New Rules</h4>

 <ul>
-  <li>The new Apex rule <a href="pmd_rules_apex_errorprone.html#overridebothequalsandhashcode"><code class="language-plaintext highlighter-rouge">OverrideBothEqualsAndHashcode</code></a> brings the well known Java rule
+  <li>
+    <p>The new Apex rule <a href="pmd_rules_apex_errorprone.html#overridebothequalsandhashcode"><code class="language-plaintext highlighter-rouge">OverrideBothEqualsAndHashcode</code></a> brings the well known Java rule
 to Apex. In Apex the same principle applies: <code class="language-plaintext highlighter-rouge">equals</code> and <code class="language-plaintext highlighter-rouge">hashCode</code> should always be overridden
-together to ensure collection classes such as Maps and Sets work as expected.</li>
+together to ensure collection classes such as Maps and Sets work as expected.</p>
+  </li>
+  <li>
+    <p>The new Visualforce rule <a href="pmd_rules_vf_security.html#vfhtmlstyletagxss"><code class="language-plaintext highlighter-rouge">VfHtmlStyleTagXss</code></a> checks for potential XSS problems
+when using <code class="language-plaintext highlighter-rouge">&lt;style&gt;</code> tags on Visualforce pages.</p>
+  </li>
 </ul>

 <h3 id="fixed-issues">Fixed Issues</h3>
@@ -1472,6 +1478,7 @@ of the language is changed.</li>
  <li><a href="https://github.com/pmd/pmd/pull/2968">#2968</a>: [java] NPE in UseCollectionIsEmptyRule with enums - <a href="https://github.com/foxmason">foxmason</a></li>
  <li><a href="https://github.com/pmd/pmd/pull/2983">#2983</a>: [java] LiteralsFirstInComparisons should consider constant fields - <a href="https://github.com/ozangulle">Ozan Gulle</a></li>
  <li><a href="https://github.com/pmd/pmd/pull/2994">#2994</a>: [core] Fix code climate severity strings - <a href="https://github.com/vmaurin">Vincent Maurin</a></li>
+  <li><a href="https://github.com/pmd/pmd/pull/3005">#3005</a>: [vf] [New Rule] Handle XSS violations that can occur within Html Style tags - <a href="https://github.com/rmohan20">rmohan20</a></li>
 </ul>


--- a/pmd_rules_vf.html
+++ b/pmd_rules_vf.html
@@ -1412,6 +1412,7 @@ $('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3

 <ul>
  <li><a href="pmd_rules_vf_security.html#vfcsrf">VfCsrf</a>: Avoid calling VF action upon page load as the action becomes vulnerable to CSRF.</li>
+  <li><a href="pmd_rules_vf_security.html#vfhtmlstyletagxss">VfHtmlStyleTagXss</a>: Checks for the correct encoding in ‘&lt;style/&gt;’ tags in Visualforce pages. The rule is based on Sal…</li>
  <li><a href="pmd_rules_vf_security.html#vfunescapeel">VfUnescapeEl</a>: Avoid unescaped user controlled content in EL as it results in XSS.</li>
 </ul>

--- a/pmd_rules_vf_security.html
+++ b/pmd_rules_vf_security.html
@@ -5,7 +5,7 @@
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Rules that flag potential security flaws.">
-<meta name="keywords" content=" Security, VfCsrf, VfUnescapeEl">
+<meta name="keywords" content=" Security, VfCsrf, VfHtmlStyleTagXss, VfUnescapeEl">
 <title>Security | PMD Source Code Analyzer</title>
 <link rel="stylesheet" href="css/syntax.css">

@@ -1425,6 +1425,43 @@ $('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3
 <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/vf/security.xml/VfCsrf"</span> <span class="nt">/&gt;</span>
 </code></pre></div></div>

+<h2 id="vfhtmlstyletagxss">VfHtmlStyleTagXss</h2>
+
+<p><strong>Since:</strong> PMD 6.31.0</p>
+
+<p><strong>Priority:</strong> Medium (3)</p>
+
+<p>Checks for the correct encoding in <code class="language-plaintext highlighter-rouge">&lt;style/&gt;</code> tags in Visualforce pages.</p>
+
+<p>The rule is based on Salesforce Security’s recommendation to prevent XSS in Visualforce as mentioned
+on <a href="https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm">Secure Coding Cross Site Scripting</a>.</p>
+
+<p>In order to avoid cross site scripting, the relevant encoding must be used in HTML tags. The rule expects
+<code class="language-plaintext highlighter-rouge">URLENCODING</code> or <code class="language-plaintext highlighter-rouge">JSINHTMLENCODING</code> for URL-based style values and any kind of encoding
+(e.g. <code class="language-plaintext highlighter-rouge">HTMLENCODING</code>) for non-url style values.</p>
+
+<p>See also <a href="pmd_rules_vf_security.html#vfunescapeel"><code class="language-plaintext highlighter-rouge">VfUnescapeEl</code></a> to check escaping in other places on Visualforce pages.</p>
+
+<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfHtmlStyleTagXssRule.java">net.sourceforge.pmd.lang.vf.rule.security.VfHtmlStyleTagXssRule</a></p>
+
+<p><strong>Example(s):</strong></p>
+
+<pre><code class="language-vf">&lt;apex:page&gt;
+    &lt;style&gt;
+        div {
+            background: url('{!XSSHere}'); // Potential XSS
+        }
+        div {
+            background: url('{!URLENCODE(XSSHere)}'); // correct encoding
+        }
+    &lt;/style&gt;
+&lt;/apex:page&gt;
+</code></pre>
+
+<p><strong>Use this rule by referencing it:</strong></p>
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/vf/security.xml/VfHtmlStyleTagXss"</span> <span class="nt">/&gt;</span>
+</code></pre></div></div>
+
 <h2 id="vfunescapeel">VfUnescapeEl</h2>

 <p><strong>Since:</strong> PMD 5.6.0</p>
--- a/search.json
+++ b/search.json
@@ -5482,6 +5482,15 @@
 }
 ,

+{
+"title": "VfHtmlStyleTagXss (Salesforce VisualForce, Security)",
+"tags": "",
+"keywords": "VfHtmlStyleTagXss",
+"url": "pmd_rules_vf_security.html#vfhtmlstyletagxss",
+"summary": "Rules that flag potential security flaws."
+}
+,
+
 {
 "title": "VfUnescapeEl (Salesforce VisualForce, Security)",
 "tags": "",