The Scala Play Framework provides its own template engine where Scala code can be accessed using the multi-purpose
@ character. By default, the values Scala produces are properly escaped according to the template type, yet programmers may bypass this behavior, which may lead to XSS.
Consider this template snippet:
<p> @Html(article.content) </p>
This basically tells the template engine to trust the
article.content content. This may be appropriate if the value comes from an external Markdown to HTML conversion facility. But instead, if the users directly control it, it may introduce an XSS exposure in the web application.
To prevent this kind of issue, just double check that the bypass is really needed (and safe) and switch back to the default behavior otherwise:
<p> @(article.content) </p>