-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Any plans to support JSP? #17646
-
It appears codeql doesn't currently detect Java Server Pages (JSP) Reflected Cross Site Scripting vulnerabilities. Any plans to support it? Rule may roughly involve looking for ${param.*} in JSP file and if that value isn't one of the three exemption cases then it's vulnerable. The exemption cases being:
- isn't located inside a
<c:out value="${?}"/> - isn't located inside a
${fn:escapeXml(?)} - isn't part of an expression with a function call or operand such as
eq
Beta Was this translation helpful? Give feedback.
All reactions
Thanks for your question. There has been some work on JSP support in the past, but I don't think it has become a fully supported feature.
If you're curious you could try running CodeQL with the environment variable CODEQL_EXTRACTOR_JAVA_JSP=true. Note that experimental features should typically be avoided for production use.
Replies: 1 comment
-
Thanks for your question. There has been some work on JSP support in the past, but I don't think it has become a fully supported feature.
If you're curious you could try running CodeQL with the environment variable CODEQL_EXTRACTOR_JAVA_JSP=true. Note that experimental features should typically be avoided for production use.
Beta Was this translation helpful? Give feedback.