Add XSS protection example

[rashidi]

No description provided.

[gemini-code-assist]

Hello @rashidi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team, gemini-code-assist here to provide a summary of this pull request. This PR introduces a new Spring Boot example project demonstrating how to protect against Cross-Site Scripting (XSS) attacks in a web application using Thymeleaf and Spring Security. The example sets up a basic web page that takes user input and displays it, showcasing how Thymeleaf's default escaping prevents simple injection and how Spring Security headers (Content-Security-Policy and X-XSS-Protection) add further layers of defense.

Highlights

• New Example Project: A new Spring Boot project (web-thymeleaf-xss) is added to demonstrate XSS protection.
• Basic Web Endpoint: A simple /greet endpoint is created using Spring MVC, which accepts a name parameter from the request.
• Thymeleaf Integration: A Thymeleaf template (greet.html) is used to render the greeting, leveraging Thymeleaf's automatic HTML escaping for user-provided data.
• Spring Security Headers: Spring Security is configured to add crucial security headers: Content-Security-Policy (default-src 'self') and X-XSS-Protection (1; mode=block) to enhance defense against XSS.
• Security Header Tests: A test is included to verify that the /greet endpoint correctly returns the configured Content-Security-Policy and X-XSS-Protection headers.

Changelog

Click here to see the changelog

• web-thymeleaf-xss/.gitattributes
  • Adds standard git attributes for line endings and binary files.
• web-thymeleaf-xss/.gitignore
  • Adds standard ignore rules for build tools and IDEs (Gradle, STS, IntelliJ, NetBeans, VS Code).
• web-thymeleaf-xss/build.gradle.kts
  • Configures a new Gradle project with dependencies for Spring Boot Web, Thymeleaf, and Security.
  • Sets Java language version to 21.
• web-thymeleaf-xss/settings.gradle.kts
  • Sets the root project name for the new example.
• web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/WebThymeleafXssApplication.java
  • Adds the main Spring Boot application class.
• web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/greet/GreetResource.java
  • Adds a Spring MVC controller with a /greet GET endpoint that takes a name parameter and passes it to the model.
• web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/security/SecurityConfiguration.java
  • Adds a Spring Security configuration class.
  • Configures the SecurityFilterChain to add Content-Security-Policy and X-XSS-Protection headers to responses.
• web-thymeleaf-xss/src/main/resources/application.properties
  • Sets the Spring application name.
• web-thymeleaf-xss/src/main/resources/templates/greet.html
  • Adds a Thymeleaf template to display a greeting using the name parameter from the model.
• web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/WebThymeleafXssApplicationTests.java
  • Adds a standard Spring Boot test context loading class.
• web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/greet/GreetResourceTests.java
  • Adds a test class for the GreetResource.
  • Includes a test to verify that the /greet endpoint returns the expected security headers (CSP and X-XSS-Protection).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Input comes our way,
Thymeleaf escapes the script,
Headers block the rest.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable example demonstrating XSS protection in a Spring Boot application using Thymeleaf. The core mechanisms, including Content Security Policy (CSP), the X-XSS-Protection header, and Thymeleaf's inherent output escaping, are well-implemented. The accompanying test effectively verifies the presence of the configured security headers.

I've identified a couple of areas for improvement, primarily concerning the build configuration and a minor HTML formatting detail. Addressing these will enhance the robustness and correctness of the example.

Summary of Findings

• Build Configuration Versions: The build.gradle.kts file specifies Spring Boot plugin version 3.4.5 and io.spring.dependency-management version 1.1.7. These seem to be non-GA or potentially non-existent versions. It's recommended to use the latest stable GA versions for reliability. (Severity: high, commented)
• HTML Tag Formatting: In greet.html, the <p> tag uses self-closing syntax (<p ... />), which is not standard for non-void elements in HTML5. It should be <p ...></p>. (Severity: medium, commented)
• Missing Newline at End of File: Some files (e.g., web-thymeleaf-xss/src/main/resources/templates/greet.html, web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/greet/GreetResourceTests.java) are missing a final newline character. This is a minor stylistic convention that some tools and systems prefer. (Severity: low, not commented due to review settings)
• Class Visibility Convention: The classes GreetResource.java and SecurityConfiguration.java use default (package-private) visibility. While this is functional, public visibility is a more common convention for Spring components like @Controller and @Configuration to ensure they are consistently discoverable and accessible, especially if the project structure evolves. (Severity: low, not commented due to review settings)

Merge Readiness

The pull request provides a good example of XSS protection. However, there is a high-severity issue regarding the Spring Boot and dependency management plugin versions in the build.gradle.kts file that needs to be addressed to ensure the project builds reliably with stable dependencies. There's also a medium-severity HTML formatting suggestion.

I recommend addressing these points, particularly the build configuration, before merging. As I am an AI assistant, I am not authorized to approve pull requests; please ensure further review and approval by authorized maintainers after the changes are made.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud