From adacef029bcd61531ad87d014d810d54c055ae1d Mon Sep 17 00:00:00 2001
From: "pixee-latio[bot]" <192043488+pixee-latio[bot]@users.noreply.github.com>
Date: Wed, 8 Jan 2025 03:10:51 +0000
Subject: [PATCH] (Snyk) Fixed finding: "XSS"

---
 .../example/insecurejava/UnsafeDeserializationController.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java b/insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java
index 2085858..6c0585a 100644
--- a/insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java
+++ b/insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java
@@ -1,4 +1,5 @@
 package com.example.insecurejava;
+import org.owasp.encoder.Encode;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -15,7 +16,7 @@ public ResponseEntity<String> unsafeDeserialization(@RequestBody byte[] data) {
         try {
             ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
             Object deserializedObject = ois.readObject();
-            return ResponseEntity.ok("Object deserialized: " + deserializedObject.toString());
+            return ResponseEntity.ok("Object deserialized: " + Encode.forHtml(deserializedObject.toString()));
         } catch (Exception e) {
             e.printStackTrace();
             return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Error during deserialization");