pscanrules: Charset Mismatch add example alerts

- CHANGELOG > Add note.
- CharsetMismatchScanRule > Add example alerts, adjust handling, some
minor related clean code changes. Drop alert related to "older clients".
- CharsetMismatchScanRuleUnitTest > Add test to assert the example
details, use parameterized case where practical.
- Messages.properties > Clarify one of the descriptions.
- Help > Drop details related to "older clients" alert.

Signed-off-by: kingthorin <[email protected]>

Author: kingthorin

addOns/pscanrules/CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Added
 - The Reverse Tabnabbing and Retrieved from Cache scan rules now have CWE references.
+- The Charset Mismatch scan rule now includes example alert functionality for documentation generation purposes (Issue 6119) and alert references (Issue 7100).
+
+### Removed
+- The Charset Mismatch scan rule no longer produces an alert with regard to META content-type and older clients.
 
 ## [65] - 2025-06-20
 ### Added

addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.pscanrules;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -47,6 +48,8 @@ public class CharsetMismatchScanRule extends PluginPassiveScanner
     /** Prefix for internationalized messages used by this rule */
     private static final String MESSAGE_PREFIX = "pscanrules.charsetmismatch.";
 
+    private static final int PLUGIN_ID = 90011;
+
     private static final Map<String, String> ALERT_TAGS;
 
     static {
@@ -56,12 +59,21 @@ public class CharsetMismatchScanRule extends PluginPassiveScanner
         ALERT_TAGS = Collections.unmodifiableMap(alertTags);
     }
 
-    private static enum MismatchType {
-        NO_MISMATCH_METACONTENTTYPE_MISSING,
-        HEADER_METACONTENTYPE_MISMATCH,
-        HEADER_METACHARSET_MISMATCH,
-        METACONTENTTYPE_METACHARSET_MISMATCH,
-        XML_MISMATCH
+    private enum MismatchType {
+        HEADER_METACONTENTYPE_MISMATCH("-1"),
+        HEADER_METACHARSET_MISMATCH("-2"),
+        METACONTENTTYPE_METACHARSET_MISMATCH("-3"),
+        XML_MISMATCH("-4");
+
+        private final String alertRef;
+
+        MismatchType(String ref) {
+            this.alertRef = String.valueOf(PLUGIN_ID) + ref;
+        }
+
+        String getAlertRef() {
+            return this.alertRef;
+        }
     }
 
     @Override
@@ -71,9 +83,6 @@ public String getName() {
 
     public String getVariant(MismatchType currentType) {
         switch (currentType) {
-            case NO_MISMATCH_METACONTENTTYPE_MISSING: // no_mismatch_metacontenttype_missing
-                return Constant.messages.getString(
-                        MESSAGE_PREFIX + "variant.no_mismatch_metacontenttype_missing");
             case HEADER_METACONTENTYPE_MISMATCH: // header_metacontentype_mismatch
                 return Constant.messages.getString(
                         MESSAGE_PREFIX + "variant.header_metacontentype_mismatch");
@@ -153,55 +162,31 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
                     // other
                     if (AlertThreshold.LOW.equals(pluginThreshold)
                             && !bodyContentCharset.equalsIgnoreCase(metaCharset)) {
-                        raiseAlert(
-                                msg,
-                                id,
-                                metaCharset,
-                                bodyContentCharset,
-                                MismatchType
-                                        .METACONTENTTYPE_METACHARSET_MISMATCH); // body declarations
-                        // inconsistent with
-                        // each other
+                        buildAlert(
+                                        metaCharset,
+                                        bodyContentCharset,
+                                        MismatchType.METACONTENTTYPE_METACHARSET_MISMATCH)
+                                .raise(); // body declarations inconsistent with each other
                     }
                 }
                 if (hasBodyCharset) {
                     // Check the body content type charset declaration against the header
                     if (!bodyContentCharset.equalsIgnoreCase(headerCharset)) {
-                        raiseAlert(
-                                msg,
-                                id,
-                                headerCharset,
-                                bodyContentCharset,
-                                MismatchType.HEADER_METACONTENTYPE_MISMATCH); // body declaration
-                        // doesn't match header
+                        buildAlert(
+                                        headerCharset,
+                                        bodyContentCharset,
+                                        MismatchType.HEADER_METACONTENTYPE_MISMATCH)
+                                .raise(); // body declaration doesn't match header
                     }
                 }
                 if (hasMetaCharset) {
                     // Check the body meta charset declaration against the header
                     if (!metaCharset.equalsIgnoreCase(headerCharset)) {
-                        raiseAlert(
-                                msg,
-                                id,
-                                headerCharset,
-                                metaCharset,
-                                MismatchType
-                                        .HEADER_METACHARSET_MISMATCH); // body declaration doesn't
-                        // match header
-                    }
-                    // If Threshold is LOW be picky and report that
-                    // only a meta charset declaration might be insufficient coverage for older
-                    // clients
-                    if (AlertThreshold.LOW.equals(pluginThreshold) && hasBodyCharset == false) {
-                        raiseAlert(
-                                msg,
-                                id,
-                                "",
-                                "",
-                                MismatchType
-                                        .NO_MISMATCH_METACONTENTTYPE_MISSING); // body declaration
-                        // does match header
-                        // but may overlook
-                        // older clients
+                        buildAlert(
+                                        headerCharset,
+                                        metaCharset,
+                                        MismatchType.HEADER_METACHARSET_MISMATCH)
+                                .raise(); // body declaration doesn't match header
                     }
                 }
             }
@@ -212,11 +197,11 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
             // TODO: could there be more than one XML declaration tag for a single XML file?
             List<StartTag> xmlDeclarationTags =
                     source.getAllStartTags(StartTagType.XML_DECLARATION);
-            if (xmlDeclarationTags.size() > 0) {
+            if (!xmlDeclarationTags.isEmpty()) {
                 StartTag xmlDeclarationTag = xmlDeclarationTags.get(0);
                 String encoding = xmlDeclarationTag.getAttributeValue("encoding");
                 if (!headerCharset.equalsIgnoreCase(encoding)) {
-                    raiseAlert(msg, id, headerCharset, encoding, MismatchType.XML_MISMATCH);
+                    buildAlert(headerCharset, encoding, MismatchType.XML_MISMATCH).raise();
                 }
             }
         }
@@ -259,13 +244,9 @@ private static String getBodyContentCharset(String bodyContentType) {
         return charset;
     }
 
-    private void raiseAlert(
-            HttpMessage msg,
-            int id,
-            String firstCharset,
-            String secondCharset,
-            MismatchType currentMismatch) {
-        newAlert()
+    private AlertBuilder buildAlert(
+            String firstCharset, String secondCharset, MismatchType currentMismatch) {
+        return newAlert()
                 .setName(
                         getName()
                                 + " "
@@ -280,12 +261,12 @@ private void raiseAlert(
                 .setReference(getReference())
                 .setCweId(getCweId())
                 .setWascId(getWascId())
-                .raise();
+                .setAlertRef(currentMismatch.getAlertRef());
     }
 
     @Override
     public int getPluginId() {
-        return 90011;
+        return PLUGIN_ID;
     }
 
     /*
@@ -327,12 +308,6 @@ private static String getExtraInfo(
         String extraInfo = "";
 
         switch (mismatchType) {
-            case NO_MISMATCH_METACONTENTTYPE_MISSING: // no_mismatch_metacontenttype_missing
-                extraInfo =
-                        Constant.messages.getString(
-                                MESSAGE_PREFIX
-                                        + "extrainfo.html.no_mismatch_metacontenttype_missing");
-                break;
             case HEADER_METACONTENTYPE_MISMATCH: // header_metacontentype_mismatch
                 extraInfo =
                         Constant.messages.getString(
@@ -363,4 +338,26 @@ private static String getExtraInfo(
         }
         return extraInfo;
     }
+
+    @Override
+    public List<Alert> getExampleAlerts() {
+        return List.of(
+                buildAlert(
+                                StandardCharsets.UTF_8.name(),
+                                "ISO-123",
+                                MismatchType.HEADER_METACONTENTYPE_MISMATCH)
+                        .build(),
+                buildAlert(
+                                StandardCharsets.UTF_8.name(),
+                                "ISO-123",
+                                MismatchType.HEADER_METACHARSET_MISMATCH)
+                        .build(),
+                buildAlert(
+                                "ISO-123",
+                                StandardCharsets.UTF_8.name(),
+                                MismatchType.METACONTENTTYPE_METACHARSET_MISMATCH)
+                        .build(),
+                buildAlert(StandardCharsets.UTF_8.name(), "ISO-123", MismatchType.XML_MISMATCH)
+                        .build());
+    }
 }

addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html

@@ -89,7 +89,6 @@ <H2 id="id-90011">Charset Mismatch</H2>
   </li>
   <li>Low Threshold:
     <ul>
-      <li>Meta Content-Type Charset Missing - The response doesn't contain a META Content-Type declaration, which may overlook older clients.</li>
       <li>Meta Charset Versus Meta Content-Type Charset - The response contains both a META Content-Type declaration and a META Charset declaration, and they don't match.</li>
     </ul>
   </li>

addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties

@@ -45,15 +45,13 @@ pscanrules.charsetmismatch.desc = This check identifies responses where the HTTP
 pscanrules.charsetmismatch.extrainfo.html.header_metacharset_mismatch = There was a charset mismatch between the HTTP Header and the META charset encoding declaration: [{0}] and [{1}] do not match.
 pscanrules.charsetmismatch.extrainfo.html.header_metacontentype_mismatch = There was a charset mismatch between the HTTP Header and the META content-type encoding declarations: [{0}] and [{1}] do not match.
 pscanrules.charsetmismatch.extrainfo.html.metacontenttype_metacharset_mismatch = There was a charset mismatch between the META charset and the META content-type encoding declaration: [{0}] and [{1}] do not match.
-pscanrules.charsetmismatch.extrainfo.html.no_mismatch_metacontenttype_missing = Charset is defined only by META charset, older clients that expect character set to be defined by META content-type may not correctly display this content.
 pscanrules.charsetmismatch.extrainfo.xml = There was a charset mismatch between the HTTP Header and the XML encoding declaration: [{0}] and [{1}] do not match.
 pscanrules.charsetmismatch.name = Charset Mismatch
 pscanrules.charsetmismatch.refs = https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
 pscanrules.charsetmismatch.soln = Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.
 pscanrules.charsetmismatch.variant.header_metacharset_mismatch = (Header Versus Meta Charset)
 pscanrules.charsetmismatch.variant.header_metacontentype_mismatch = (Header Versus Meta Content-Type Charset)
 pscanrules.charsetmismatch.variant.metacontenttype_metacharset_mismatch = (Meta Charset Versus Meta Content-Type Charset)
-pscanrules.charsetmismatch.variant.no_mismatch_metacontenttype_missing = (Meta Content-Type Charset Missing)
 
 pscanrules.contentsecuritypolicymissing.desc = Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
 pscanrules.contentsecuritypolicymissing.name = Content Security Policy (CSP) Header Not Set