From 7a9ccb70dfd9b713dac34c3b4dc36c21dbced175 Mon Sep 17 00:00:00 2001 From: Sergey Date: Wed, 12 Apr 2017 15:53:24 -0700 Subject: [PATCH] JS encoded and parsed JSON is safe --- .../lang/vf/rule/security/VfUnescapeElRule.java | 6 +++++- .../lang/vf/rule/security/xml/VfUnescapeEl.xml | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java index 7ee825866c..6228ba40b9 100644 --- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java +++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java @@ -93,7 +93,11 @@ public class VfUnescapeElRule extends AbstractVfRule { } } else { if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { - addViolation(data, elExpression); + final boolean hasUnscaped = doesElContainAnyUnescapedIdentifiers(elExpression, + EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE)); + if (!(jsonParse && !hasUnscaped)) { + addViolation(data, elExpression); + } } } } diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml index 915d45ad51..3182902eb4 100644 --- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml +++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml @@ -605,4 +605,20 @@ JSON.parse method evaluates non quoted EL to unsafe XSS vf + + + 0 + + + +]]> + vf + + +