PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.
While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.
VBHTMLRenderer.java line 71 appends rv.getDescription() directly into HTML:
sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");
YAHTMLRenderer.java lines 196–203 does the same via renderViolationRow():
private String renderViolationRow(String name, String value) {
return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>";
}
Called at line 172:
out.print(renderViolationRow("Description:", violation.getDescription()));
The violation message originates from AvoidDuplicateLiteralsRule.java line 91, which embeds raw string literal values via first.toPrintableString(). This calls StringUtil.escapeJava() (line 476–480), which is a Java source escaper — it passes <, >, and & through unchanged because they are printable ASCII (0x20–0x7e).
By contrast, HTMLRenderer.java line 143 properly escapes:
String d = StringEscapeUtils.escapeHtml4(rv.getDescription());
public class Exploit {
String a = "<img src=x onerror=alert(document.domain)>";
String b = "<img src=x onerror=alert(document.domain)>";
String c = "<img src=x onerror=alert(document.domain)>";
String d = "<img src=x onerror=alert(document.domain)>";
}
vbhtml format:pmd check...
7.22.0Exploitability
AV:NAC:HPR:NUI:RScope
S:UImpact
C:HI:HA:N6.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N