Java中与脚本相关的HTML标记的中和不正确(基本XSS)

时间:2016-09-23 08:11:44

标签: java spring spring-mvc xss veracode

我正在使用Veracode验证我的代码,获取错误“CWE-80:网页中与脚本相关的HTML标记的不正当中和(基本XSS)”为“return collectionService.getAllNotificationDrop()” “在下面的方法

@RequestMapping(value = "loadAllNotification", method = RequestMethod.GET)
    public @ResponseBody List<UserVO> loadAllNotification() {
        try {
            **return collectionService.getAllNotificationDrop();**
        } catch (Exception e) {
            LOGGER.debug(e);
             return null;
        }

    }




public List<UserVO> getAllNotificationDrop() throws Exception {
        LOGGER.info("Entered new method ====> getAllNotificationDrop() ");
        List<UserVO> users;
        Session session = em.unwrap(Session.class);
        try {
            users = session.createSQLQuery("SELECT login_id as userId,first_name||' '||last_name as firstName "
                    + " FROM user_master")
                    .addScalar("userId", StandardBasicTypes.STRING)
                    .addScalar("firstName", StandardBasicTypes.STRING)
                    .setResultTransformer(Transformers.aliasToBean(UserVO.class))
                    .list();
        } catch (Exception e) {
            throw new Exception("Error in getAllNotificationDrop",e);
        } finally {
            session.clear();
        }
        LOGGER.info("Method End ====> getAllNotificationDrop() ");
        return users;
    }

请帮助解决这个问题,过去几天没有任何线索。

0 个答案:

没有答案