rspec/rules/S5439/python/rule.adoc

Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.

By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.


Escaping HTML from template variables prevents switching into any execution context, like ``++<script>++``. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.


A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:

* Forced redirection
* Modify presentation of content
* User accounts takeover after disclosure of sensitive information like session cookies or passwords

This rule supports the following libraries:

* https://github.com/django/django[Django Templates]
* https://github.com/pallets/jinja[Jinja2]


== Noncompliant Code Example

----
from jinja2 import Environment

env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant
----


== Compliant Solution

----
from jinja2 import Environment
env = Environment(autoescape=True) # Compliant
----


== See

* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A9] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/79.html[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/80.html[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
* https://cwe.mitre.org/data/definitions/81.html[MITRE, CWE-81] - Improper Neutralization of Script in an Error Message Web Page
* https://cwe.mitre.org/data/definitions/82.html[MITRE, CWE-82] - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
* https://cwe.mitre.org/data/definitions/83.html[MITRE, CWE-83] - Improper Neutralization of Script in Attributes in a Web Page
* https://cwe.mitre.org/data/definitions/84.html[MITRE, CWE-84] - Improper Neutralization of Encoded URI Schemes in a Web Page
* https://cwe.mitre.org/data/definitions/85.html[MITRE, CWE-85] - Doubled Character XSS Manipulations
* https://cwe.mitre.org/data/definitions/86.html[MITRE, CWE-86] - Improper Neutralization of Invalid Characters in Identifiers in Web Pages
* https://cwe.mitre.org/data/definitions/87.html[MITRE, CWE-87] - Improper Neutralization of Alternate XSS Syntax
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components 


ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.`

			`By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.`


			Escaping HTML from template variables prevents switching into any execution context, like ``++<script>++``. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.


			`A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:`

			`* Forced redirection`
			`* Modify presentation of content`
			`* User accounts takeover after disclosure of sensitive information like session cookies or passwords`

			`This rule supports the following libraries:`

			`* https://github.com/django/django[Django Templates]`
			`* https://github.com/pallets/jinja[Jinja2]`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`from jinja2 import Environment`

			`env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false`
			`env = Environment(autoescape=False) # Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`from jinja2 import Environment`
			`env = Environment(autoescape=True) # Compliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet`
			`* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)`
			`* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A9] - Security Misconfiguration`
			`* https://cwe.mitre.org/data/definitions/79.html[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')`
			`* https://cwe.mitre.org/data/definitions/80.html[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)`
			`* https://cwe.mitre.org/data/definitions/81.html[MITRE, CWE-81] - Improper Neutralization of Script in an Error Message Web Page`
			`* https://cwe.mitre.org/data/definitions/82.html[MITRE, CWE-82] - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page`
			`* https://cwe.mitre.org/data/definitions/83.html[MITRE, CWE-83] - Improper Neutralization of Script in Attributes in a Web Page`
			`* https://cwe.mitre.org/data/definitions/84.html[MITRE, CWE-84] - Improper Neutralization of Encoded URI Schemes in a Web Page`
			`* https://cwe.mitre.org/data/definitions/85.html[MITRE, CWE-85] - Doubled Character XSS Manipulations`
			`* https://cwe.mitre.org/data/definitions/86.html[MITRE, CWE-86] - Improper Neutralization of Invalid Characters in Identifiers in Web Pages`
			`* https://cwe.mitre.org/data/definitions/87.html[MITRE, CWE-87] - Improper Neutralization of Alternate XSS Syntax`
			`* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`