ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5696/javascript/rule.adoc

48 lines
1.3 KiB
Plaintext
Raw Normal View History

Add rules 5000-5999
2020-06-30 12:50:28 +02:00
include::../description.adoc[]
== Noncompliant Code Example
Example of basic DOM-XSS attack (http://vulnerable/page.html#javascript:alert('xss')):
----
<html>
<body>
<h5><a id="example1"></a>Example headline 1</h5>
<h5><a id="example2"></a>Example headline 2</h5>
<h5><a id="example3"></a>Example headline 3</h5>
<h5><a id="example4"></a>Example headline 4</h5>
<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>
<script language=javascript>
var hash = location.hash.substr(1);
xssexample1.setAttribute('href', hash); // Noncompliant
</script>
</body>
</html>
----
== Compliant Solution
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent[encodeURIComponent] is a sanitizer that escape dangerous characters in this context (like <code>:</code>):
----
<html>
<body>
<h5><a id="example1"></a>Example headline 1</h5>
<h5><a id="example2"></a>Example headline 2</h5>
<h5><a id="example3"></a>Example headline 3</h5>
<h5><a id="example4"></a>Example headline 4</h5>
<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>
<script language=javascript>
var hash = location.hash.substr(1);
xssexample1.setAttribute('href', encodeURIComponent(hash)); // Compliant
</script>
</body>
</html>
----
include::../see.adoc[]
Reference in New Issue Copy Permalink