Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Cross-site scripting High
User-controllable input must be sanitized before it's included in output used to dynamically generate a web page. Unsanitized user input can introduce cross-side scripting (XSS) vulnerabilities that can lead to inadvertedly running malicious code in a trusted context.
Detector ID
kotlin/cross-site-scripting@v1.0
Category
Noncompliant example
1// Noncompliant: Using unsanitized external inputs which leads to XSS
2fun noncompliant() {
3 print("Enter your name:")
4 val name = readLine()
5
6 val writer = PrintWriter(System.out)
7 writer.write("<p>Hello, $name!</p>")
8}
Compliant example
1// Compliant: Not using any unsanitized external inputs
2fun compliant() {
3 print("Enter your name:")
4 val name = readLine()
5
6 val writer = PrintWriter(System.out)
7 writer.write("<p>Hello, name!</p>")
8}
Noncompliant example
1// Noncompliant: Enabled JavaScript support for WebViews
2fun noncompliant() {
3 val webView: WebView = findViewById(R.id.webview)
4 webView.getSettings().setJavaScriptEnabled(true) // Sensitive
5}
Compliant example
1// Compliant: Disabled JavaScript support for WebViews
2fun compliant() {
3 val webView: WebView = findViewById(R.id.webview)
4 webView.getSettings().setJavaScriptEnabled(false)
5}