Cross-Site Scripting in Scala
Play Framework
The Scala Play Framework provides its own template engine where Scala code can be accessed using the multi-purpose @
character. By default, the values Scala produces are properly escaped according to the template type, yet programmers may bypass this behavior, which may lead to XSS.
Vulnerable Example
Consider this template snippet:
<p>
@Html(article.content)
</p>
This basically tells the template engine to trust the article.content
content. This may be appropriate if the value comes from an external Markdown to HTML conversion facility. But instead, if the users directly control it, it may introduce an XSS exposure in the web application.
Prevention
To prevent this kind of issue, just double check that the bypass is really needed (and safe) and switch back to the default behavior otherwise:
<p>
@(article.content)
</p>