Java Escape Model Strings Disabled
Description
Identifies when string escaping is explicitly disabled in Apache Wicket applications through setEscapeModelStrings(false). Disabling string escaping can lead to Cross-Site Scripting (XSS) vulnerabilities by allowing unescaped HTML and JavaScript to be rendered in the browser.
Detection Strategy
• Check if Apache Wicket framework is imported in the Java source code
• Find calls to setEscapeModelStrings() method
• Verify if the method is called with false as the argument
• Report vulnerability when string escaping is explicitly disabled
Vulnerable code example
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.markup.html.basic.Label;
public class VulnerablePage extends WebPage {
public VulnerablePage() {
Label label = new Label("content", getUserInput());
label.setEscapeModelStrings(false); // Vulnerable: Disables HTML escaping, allowing XSS
add(label);...✅ Secure code example
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.markup.html.basic.Label;
public class SecurePage extends WebPage {
public SecurePage() {
Label label = new Label("content", getUserInput());
// Safe: Default HTML escaping is enabled (true), preventing XSS
add(label);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.