2020-06-30 12:50:28 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/mustache[mustache.js] template engine:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
let Mustache = require("mustache");
|
|
|
|
|
|
|
|
|
|
Mustache.escape = function(text) {return text;}; // Sensitive
|
2020-12-21 16:54:08 +01:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
let rendered = Mustache.render(template, { name: inputName });
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
const Handlebars = require('handlebars');
|
|
|
|
|
|
|
|
|
|
let source = "<p>attack {{name}}</p>";
|
|
|
|
|
|
|
|
|
|
let template = Handlebars.compile(source, { noEscape: true }); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
const markdownIt = require('markdown-it');
|
|
|
|
|
let md = markdownIt({
|
|
|
|
|
html: true // Sensitive
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
let result = md.render('# <b>attack</b>');
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/marked[marked] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
const marked = require('marked');
|
|
|
|
|
|
|
|
|
|
marked.setOptions({
|
|
|
|
|
renderer: new marked.Renderer(),
|
|
|
|
|
sanitize: false // Sensitive
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
console.log(marked("# test <b>attack/b>"));
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/kramed[kramed] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
2020-12-21 16:54:08 +01:00
|
|
|
let kramed = require('kramed');
|
|
|
|
|
|
|
|
|
|
var options = {
|
|
|
|
|
renderer: new kramed.Renderer({
|
|
|
|
|
sanitize: false // Sensitive
|
|
|
|
|
})
|
|
|
|
|
};
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/mustache[mustache.js] template engine:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
let Mustache = require("mustache");
|
|
|
|
|
|
|
|
|
|
let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
const Handlebars = require('handlebars');
|
|
|
|
|
|
|
|
|
|
let source = "<p>attack {{name}}</p>";
|
|
|
|
|
let data = { "name": "<b>Alan</b>" };
|
|
|
|
|
|
|
|
|
|
let template = Handlebars.compile(source); // Compliant by default noEscape is set to false
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
let md = require('markdown-it')(); // Compliant by default html is set to false
|
|
|
|
|
|
|
|
|
|
let result = md.render('# <b>attack</b>');
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/marked[marked] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
const marked = require('marked');
|
|
|
|
|
|
|
|
|
|
marked.setOptions({
|
|
|
|
|
renderer: new marked.Renderer()
|
|
|
|
|
}); // Compliant by default sanitize is set to true
|
|
|
|
|
|
|
|
|
|
console.log(marked("# test <b>attack/b>"));
|
|
|
|
|
----
|
|
|
|
|
https://www.npmjs.com/package/kramed[kramed] markup language parser:
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
let kramed = require('kramed');
|
|
|
|
|
|
|
|
|
|
let options = {
|
|
|
|
|
renderer: new kramed.Renderer({
|
|
|
|
|
sanitize: true // Compliant
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
console.log(kramed('Attack [xss?](javascript:alert("xss")).', options));
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== on 14 May 2019, 22:07:46 Lars Svensson wrote:
|
|
|
|
|
Reference:
|
|
|
|
|
|
|
|
|
|
https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== on 10 Sep 2019, 08:28:46 Alexandre Gigleux wrote:
|
|
|
|
|
Angular case should also be covered by this rule:
|
|
|
|
|
|
|
|
|
|
* \https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml
|
|
|
|
|
* \https://angular.io/api/platform-browser/DomSanitizer#bypassSecurityTrustHtml
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
