rspec/rules/S5247/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://www.npmjs.com/package/mustache[mustache.js] template engine:
----
let Mustache = require("mustache");

Mustache.escape = function(text) {return text;}; // Sensitive
let rendered = Mustache.render(template, { name: inputName });
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
----
const Handlebars = require('handlebars');

let source = "<p>attack {{name}}</p>";

let template = Handlebars.compile(source, { noEscape: true }); // Sensitive 
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
----
const markdownIt = require('markdown-it');
let md = markdownIt({
  html: true // Sensitive
});

let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
----
const marked = require('marked');

marked.setOptions({
  renderer: new marked.Renderer(),
  sanitize: false // Sensitive
});

console.log(marked("# test <b>attack/b>"));  
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
----
let kramed = require('kramed'); // Sensitive: by default sanitize is set to false
console.log(kramed('Attack [xss?](javascript:alert("xss")).'));
----

== Compliant Solution

https://www.npmjs.com/package/mustache[mustache.js] template engine:
----
let Mustache = require("mustache");

let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
----
const Handlebars = require('handlebars');

let source = "<p>attack {{name}}</p>";
let data = { "name": "<b>Alan</b>" };

let template = Handlebars.compile(source); // Compliant by default noEscape is set to false
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
----
let md = require('markdown-it')(); // Compliant by default html is set to false

let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
----
const marked = require('marked');

marked.setOptions({
  renderer: new marked.Renderer()
}); // Compliant by default sanitize is set to true

console.log(marked("# test <b>attack/b>"));  
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
----
let kramed = require('kramed');

let options = {
  renderer: new kramed.Renderer({
    sanitize: true // Compliant
  })
};

console.log(kramed('Attack [xss?](javascript:alert("xss")).', options));
----

include::../see.adoc[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`https://www.npmjs.com/package/mustache[mustache.js] template engine:`
			`----`
			`let Mustache = require("mustache");`

			`Mustache.escape = function(text) {return text;}; // Sensitive`
			`let rendered = Mustache.render(template, { name: inputName });`
			`----`
			`https://www.npmjs.com/package/handlebars[handlebars.js] template engine:`
			`----`
			`const Handlebars = require('handlebars');`

			`let source = "<p>attack {{name}}</p>";`

			`let template = Handlebars.compile(source, { noEscape: true }); // Sensitive`
			`----`
			`https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:`
			`----`
			`const markdownIt = require('markdown-it');`
			`let md = markdownIt({`
			`html: true // Sensitive`
			`});`

			`let result = md.render('# <b>attack</b>');`
			`----`
			`https://www.npmjs.com/package/marked[marked] markup language parser:`
			`----`
			`const marked = require('marked');`

			`marked.setOptions({`
			`renderer: new marked.Renderer(),`
			`sanitize: false // Sensitive`
			`});`

			`console.log(marked("# test <b>attack/b>"));`
			`----`
			`https://www.npmjs.com/package/kramed[kramed] markup language parser:`
			`----`
			`let kramed = require('kramed'); // Sensitive: by default sanitize is set to false`
			`console.log(kramed('Attack [xss?](javascript:alert("xss")).'));`
			`----`

			`== Compliant Solution`

			`https://www.npmjs.com/package/mustache[mustache.js] template engine:`
			`----`
			`let Mustache = require("mustache");`

			`let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default`
			`----`
			`https://www.npmjs.com/package/handlebars[handlebars.js] template engine:`
			`----`
			`const Handlebars = require('handlebars');`

			`let source = "<p>attack {{name}}</p>";`
			`let data = { "name": "<b>Alan</b>" };`

			`let template = Handlebars.compile(source); // Compliant by default noEscape is set to false`
			`----`
			`https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:`
			`----`
			`let md = require('markdown-it')(); // Compliant by default html is set to false`

			`let result = md.render('# <b>attack</b>');`
			`----`
			`https://www.npmjs.com/package/marked[marked] markup language parser:`
			`----`
			`const marked = require('marked');`

			`marked.setOptions({`
			`renderer: new marked.Renderer()`
			`}); // Compliant by default sanitize is set to true`

			`console.log(marked("# test <b>attack/b>"));`
			`----`
			`https://www.npmjs.com/package/kramed[kramed] markup language parser:`
			`----`
			`let kramed = require('kramed');`

			`let options = {`
			`renderer: new kramed.Renderer({`
			`sanitize: true // Compliant`
			`})`
			`};`

			`console.log(kramed('Attack [xss?](javascript:alert("xss")).', options));`
			`----`

			`include::../see.adoc[]`