Link Search Menu Expand Document

Cross-Site Scripting in Scala

Play Framework

The Scala Play Framework provides its own template engine where Scala code can be accessed using the multi-purpose @ character. By default, the values Scala produces are properly escaped according to the template type, yet programmers may bypass this behavior, which may lead to XSS.

Vulnerable Example

Consider this template snippet:

<p>
  @Html(article.content)
</p>

This basically tells the template engine to trust the article.content content. This may be appropriate if the value comes from an external Markdown to HTML conversion facility. But instead, if the users directly control it, it may introduce an XSS exposure in the web application.

Prevention

To prevent this kind of issue, just double check that the bypass is really needed (and safe) and switch back to the default behavior otherwise:

<p>
  @(article.content)
</p>

References

Play Framework - The template engine