Avoid reflecting servlet request data through response writers | Critiq Docs

#Metadata

Rule ID: java.security.reflected-output-from-request
Severity: high
Confidence: 0.76
Languages: java
Presets: security, strict
Stability: experimental
Applies to: block
Tags: rules-catalog, security, servlet, xss

#Why it matters

Writing request-controlled strings directly into HTTP responses is a common reflected XSS vector for servlet stacks.

#Remediation

Contextually encode output for HTML or JSON consumers, validate redirect-like flows separately, and prefer templating APIs that auto-escape.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.reflected-output-from-request.rule.yaml.

Back to directory Open rule in repository