Add examples for cross-site-scripting (#60)

Author: awsgaucho

src/java/detectors/cross_site_scripting/CrossSiteScripting.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package detectors.cross_site_scripting;
+
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+public class CrossSiteScripting {
+
+    // {fact rule=cross-site-scripting@v1.0 defects=1}
+    public ModelAndView inputSanitizationNonCompliant(@RequestParam String favoriteColor) {
+        ModelAndView modelAndView = new ModelAndView();
+        modelAndView.setViewName("jsp/example.jsp");
+        // Noncompliant: user-supplied parameter might contain malicious content.
+        modelAndView.addObject("preferredColor", favoriteColor);
+        return modelAndView;
+    }
+    // {/fact}
+
+    // {fact rule=cross-site-scripting@v1.0 defects=0}
+    public ModelAndView inputSanitizationCompliant(@RequestParam String favoriteColor) {
+        ModelAndView modelAndView = new ModelAndView();
+        modelAndView.setViewName("jsp/example.jsp");
+        // Compliant: user-supplied parameter must be in allow-list.
+        if (favoriteColor.matches("[a-z]+")) {
+            modelAndView.addObject("preferredColor", favoriteColor);
+        } else {
+            throw new IllegalArgumentException("Invalid color!");
+        }
+        return modelAndView;
+    }
+    // {/fact}
+
+}