From a5d4f84e0065389c59b6fc29ad35d32ff9f1be03 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Wed, 4 Feb 2026 15:45:11 -0500 Subject: [PATCH] Potential fix for code scanning alert no. 34: Cross-site scripting Bad XSS fix for Benchmark00728 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../benchmark/testcode/Benchmark00728.java | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00728.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00728.java index 1972e5c..e692ecd 100644 --- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00728.java +++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00728.java @@ -29,6 +29,36 @@ public class Benchmark00728 extends HttpServlet { private static final long serialVersionUID = 1L; + private static String escapeHtml(String input) { + if (input == null) { + return ""; + } + StringBuilder sb = new StringBuilder(input.length()); + for (int i = 0; i < input.length(); i++) { + char c = input.charAt(i); + switch (c) { + case '&': + sb.append("&"); + break; + case '<': + sb.append("<"); + break; + case '>': + sb.append(">"); + break; + case '"': + sb.append("""); + break; + case '\'': + sb.append("'"); + break; + default: + sb.append(c); + } + } + return sb.toString(); + } + @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { @@ -53,6 +83,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) else bar = "This should never happen"; response.setHeader("X-XSS-Protection", "0"); - response.getWriter().println(bar); + response.getWriter().println(escapeHtml(bar)); } }