docs: Add Reflected XSS vulnerability report for XSSWithHtmlTagInjection

[Karan-Raj-KR]

Description

This PR adds a comprehensive vulnerability report for the LEVEL_1 Reflected XSS flaw in XSSWithHtmlTagInjection.java. This documentation is intended to support security testing and scanner benchmarking by providing a clear, reproducible baseline for this specific attack vector.

Changes Made

• Added a new Markdown vulnerability report detailing the exact endpoint, payload, and vulnerable code snippet.
• Included reproducible steps tailored for a local Docker-based setup.

Testing Instructions

1. Checkout this branch.
2. Ensure the local stack is running via Docker Compose.
3. Verify the payload works as documented by visiting http://localhost/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=%3Cscript%3Ealert(document.domain)%3C/script%3E.

Fixes #610

Summary by CodeRabbit

• Documentation
  • Added a new security report documenting a reflected XSS vulnerability, including affected endpoints, reproduction steps, potential impact, and remediation guidance through proper output encoding techniques.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a security report documenting a reflected XSS vulnerability in the XSSWithHtmlTagInjection controller. The documentation outlines the affected endpoint, vulnerable query parameters, vulnerability mechanics, reproduction steps, potential impact, and mitigation via context-aware output encoding.

Changes

Security Report Documentation

Layer / File(s)	Summary
XSS with HTML Tag Injection Report docs/security-reports/XSSWithHtmlTagInjection.md	Security report detailing reflected XSS vulnerability where unsanitized query parameter values are directly embedded into HTML responses. Documents affected endpoint, reproduction steps, impact, and remediation through output encoding techniques.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A report hops in with caution and care,
Exposing XSS lurking in HTML air,
With steps to reproduce and fixes so bright,
The app learns to sanitize, making things right!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a security vulnerability report document for the XSSWithHtmlTagInjection vulnerability.
Linked Issues check	✅ Passed	The PR fulfills all coding-related objectives from issue #610: identifies the XSSWithHtmlTagInjection vulnerability, documents reproducible steps, includes payload examples, suggests remediation via output encoding, and improves educational value.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with linked issue #610 objectives; the PR exclusively adds a security vulnerability documentation file with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.88%. Comparing base (99e0be4) to head (b6ea3ac).

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #636   +/-   ##
=========================================
  Coverage     54.88%   54.88%           
  Complexity      663      663           
=========================================
  Files            91       91           
  Lines          3573     3573           
  Branches        395      395           
=========================================
  Hits           1961     1961           
  Misses         1435     1435           
  Partials        177      177           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/security-reports/XSSWithHtmlTagInjection.md`:
- Around line 14-15: Update the reproduction step in XSSWithHtmlTagInjection.md
to match the documented validation path format and use a URL-encoded payload so
copying works reliably; replace the current line with a URL like
"http://localhost/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E"
(ensure host/port pattern follows the repo's standard `http://localhost/...`
convention and the payload is percent-encoded).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d623b242-9396-48f7-afe1-f8613a050481

📥 Commits

Reviewing files that changed from the base of the PR and between 99e0be4 and b6ea3ac.

📒 Files selected for processing (1)

• docs/security-reports/XSSWithHtmlTagInjection.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align reproduction URL/payload format with PR validation steps.

The repro step currently uses a different host/port pattern and a raw payload. Please align this with the documented validation path (http://localhost/...) and include a URL-encoded payload so copy/paste works reliably across clients.

Suggested doc tweak

-1. Navigate to: `http://localhost:9090/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=<script>alert('XSS')</script>`
+1. Navigate to: `http://localhost/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=%3Cscript%3Ealert(document.domain)%3C/script%3E`

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. Navigate to: `http://localhost:9090/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=<script>alert('XSS')</script>`
	2. Observe the execution of the JavaScript alert.
	1. Navigate to: `http://localhost/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=%3Cscript%3Ealert(document.domain)%3C/script%3E`
	2. Observe the execution of the JavaScript alert.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-reports/XSSWithHtmlTagInjection.md` around lines 14 - 15,
Update the reproduction step in XSSWithHtmlTagInjection.md to match the
documented validation path format and use a URL-encoded payload so copying works
reliably; replace the current line with a URL like
"http://localhost/VulnerableApp/XSSWithHtmlTagInjection/LEVEL_1?payload=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E"
(ensure host/port pattern follows the repo's standard `http://localhost/...`
convention and the payload is percent-encoded).

[preetkaran20]

@Karan-Raj-KR I think there is some misunderstanding here. The goal is to test that all vulnerabulities are really exploitable and if they are missing payloads, hints or discription then raising issues/tickets in the project.

[Karan-Raj-KR]

Misunderstood the issue requirements. Closing this PR, apologies for the noise!