+ "details": "### Summary\nPMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.\n\nWhile the default `html` format is not affected via rule violation messages (it correctly uses `StringEscapeUtils.escapeHtml4()`), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.\n\n### Details\n`VBHTMLRenderer.java` line 71 appends `rv.getDescription()` directly into HTML:\n\n```java\nsb.append(\"<td><font class=body>\").append(rv.getDescription()).append(\"</font></td>\");\n```\n\n`YAHTMLRenderer.java` lines 196–203 does the same via `renderViolationRow()`:\n\n```java\nprivate String renderViolationRow(String name, String value) {\n return \"<tr><td><b>\" + name + \"</b></td>\" + \"<td>\" + value + \"</td></tr>\";\n}\n```\n\nCalled at line 172:\n\n```java\nout.print(renderViolationRow(\"Description:\", violation.getDescription()));\n```\n\nThe violation message originates from `AvoidDuplicateLiteralsRule.java` line 91, which embeds raw string literal values via `first.toPrintableString()`. This calls `StringUtil.escapeJava()` (line 476–480), which is a Java source escaper — it passes `<`, `>`, and `&` through unchanged because they are printable ASCII (0x20–0x7e).\n\nBy contrast, `HTMLRenderer.java` line 143 properly escapes:\n\n```java\nString d = StringEscapeUtils.escapeHtml4(rv.getDescription());\n```\n### PoC\n\n1. Create a Java file with 4+ duplicate string literals containing an HTML payload:\n\n```java\npublic class Exploit {\n String a = \"<img src=x onerror=alert(document.domain)>\";\n String b = \"<img src=x onerror=alert(document.domain)>\";\n String c = \"<img src=x onerror=alert(document.domain)>\";\n String d = \"<img src=x onerror=alert(document.domain)>\";\n}\n```\n\n2. Run PMD with the `vbhtml` format:\n\n```bash\npmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html\n```\n\n3. Open `report.html` in a browser. A JavaScript alert executes showing `document.domain`.\n\nThe generated HTML contains the unescaped tag:\n\n```html\n<td><font class=body>The String literal \"<img src=x onerror=alert(document.domain)>\" appears 4 times in this file</font></td>\n```\n\nTested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).\n\n### Impact\nStored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with `--format vbhtml` or `--format yahtml` on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.\n\nPractical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format has a similar issue with user messages from suppressed violations.\n\n### Fixes\n* See [#6475](https://github.com/pmd/pmd/issues/6475): \\[core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments