Update the Qhelp guidance for java xss

java/ql/src/Security/CWE/CWE-079/XSS.Good.java

@@ -0,0 +1,11 @@
+public class XSS extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	throws ServletException, IOException {
+		String unsafeInput = request.getParameter("page");
+        String safeInput = StringEscapeUtils.escapeHtml4(unsafeInput);
+        // GOOD: the untrusted request parameter is html encoded for special characters before being written into the response string.
+		response.getWriter().print(
+				"The page \"" + safeInput + "\" was not found.");
+
+	}
+}

java/ql/src/Security/CWE/CWE-079/XSS.qhelp

@@ -1,41 +1,69 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
 
 
-<overview>
-<p>Directly writing user input (for example, an HTTP request parameter) to a web page,
-without properly sanitizing the input first, allows for a cross-site scripting vulnerability.</p>
+  <overview>
+    <p>Directly writing user input (for example, an HTTP request parameter) to a web page,
+      without properly sanitizing the input first, allows for a cross-site scripting vulnerability.</p>
 
-</overview>
-<recommendation>
+  </overview>
+  <recommendation>
 
-<p>To guard against cross-site scripting, consider using contextual output encoding/escaping before
-writing user input to the page, or one of the other solutions that are mentioned in the
-reference.</p>
+    <p>To guard against reflected cross-site scripting in your backend java service, consider using
+      an appropriate HTML escaping library for your framework to sanitize the special HTML
+      characters.
+    </p>
 
-</recommendation>
-<example>
+    <p> For Android applications where an untrusted input is reflected into the WebView component
+      via risky methods such as <code>evaluateJavascript</code>, <code>loadData</code> or <code>
+      loadDataWithBaseURL</code> that execute javascript, use the following best practices:</p>
 
-<p>The following example shows the <code>page</code> parameter being written directly to the page,
-leaving the website vulnerable to cross-site scripting.</p>
+    <ul>
+      <li>
+        Use an appropriate HTML escaping library to sanitize special characters in the untrusted
+        input.
+      </li>
+      <li>When applicable, validate that the untrusted input is of a safe type before passing the
+        data into a risky method.</li>
+      <li> In scenarios where WebView doesn't require JavaScript, don't call <a
+          href="https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)">
+        setJavaScriptEnabled</a> within <a
+          href="https://developer.android.com/reference/android/webkit/WebSettings">WebSettings</a>
+        (for example, while displaying static HTML content). By default, JavaScript execution is
+        disabled in WebView. </li>
+    </ul>
+    <p></p>
 
-<sample src="XSS.java" />
+    <p>If the above solutions do not work for your use-case, please consult your security assurance
+      team.</p>
 
-</example>
-<references>
 
+  </recommendation>
+  <example>
 
-<li>
-OWASP:
-<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
-(Cross Site Scripting) Prevention Cheat Sheet</a>.
-</li>
-<li>
-Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
-</li>
+    <p>The following example shows the <code>page</code> parameter being written directly to the
+      page, leaving the website vulnerable to cross-site scripting.</p>
 
+    <sample src="XSS.Bad.java" />
 
-</references>
-</qhelp>
+    <p> Use an HTML encoding API such as <code>org.apache.commons.text.StringEscapeUtils.escapeHtml4</code>to
+      sanitize the untrusted <code>page</code> parameter before inserting it into the HTTP response.</p>
+
+    <sample src="./XSS.Good.java" />
+  </example>
+  <references>
+
+
+    <li> OWASP: <a
+        href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
+      (Cross Site Scripting) Prevention Cheat Sheet</a>. </li>
+    <li> Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>
+      . </li>
+    <li> WebView - Native bridges <a
+        href="https://developer.android.com/privacy-and-security/risks/insecure-webview-native-bridges">
+      Risks</a>
+    </li>
+
+
+  </references>
+</qhelp>