rspec/rules/S5696/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

Example of basic DOM-XSS attack (http://vulnerable/page.html#javascript:alert('xss')):

----
<html>
<body>
<h5><a id="example1"></a>Example headline 1</h5>
<h5><a id="example2"></a>Example headline 2</h5>
<h5><a id="example3"></a>Example headline 3</h5>
<h5><a id="example4"></a>Example headline 4</h5>


<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>

<script language=javascript>
var hash = location.hash.substr(1); 
xssexample1.setAttribute('href', hash); // Noncompliant
</script>
</body>
</html>
----

== Compliant Solution

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent[encodeURIComponent] is a sanitizer that escape dangerous characters in this context (like <code>:</code>):

----
<html>
<body>
<h5><a id="example1"></a>Example headline 1</h5>
<h5><a id="example2"></a>Example headline 2</h5>
<h5><a id="example3"></a>Example headline 3</h5>
<h5><a id="example4"></a>Example headline 4</h5>


<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>

<script language=javascript>
var hash = location.hash.substr(1); 
xssexample1.setAttribute('href', encodeURIComponent(hash)); // Compliant
</script>
</body>
</html>
----

include::../see.adoc[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`Example of basic DOM-XSS attack (http://vulnerable/page.html#javascript:alert('xss')):`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<html>`
			`<body>`
			`<h5><a id="example1"></a>Example headline 1</h5>`
			`<h5><a id="example2"></a>Example headline 2</h5>`
			`<h5><a id="example3"></a>Example headline 3</h5>`
			`<h5><a id="example4"></a>Example headline 4</h5>`


			`<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>`

			`<script language=javascript>`
			`var hash = location.hash.substr(1);`
			`xssexample1.setAttribute('href', hash); // Noncompliant`
			`</script>`
			`</body>`
			`</html>`
			`----`

			`== Compliant Solution`

			`https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent[encodeURIComponent] is a sanitizer that escape dangerous characters in this context (like <code>:</code>):`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<html>`
			`<body>`
			`<h5><a id="example1"></a>Example headline 1</h5>`
			`<h5><a id="example2"></a>Example headline 2</h5>`
			`<h5><a id="example3"></a>Example headline 3</h5>`
			`<h5><a id="example4"></a>Example headline 4</h5>`


			`<a id="xssexample1" href="https://vulnerable/page.html" target=_blank>Open in another tab</a>`

			`<script language=javascript>`
			`var hash = location.hash.substr(1);`
			`xssexample1.setAttribute('href', encodeURIComponent(hash)); // Compliant`
			`</script>`
			`</body>`
			`</html>`
			`----`

			`include::../see.adoc[]`