include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example https://www.npmjs.com/package/mustache[mustache.js] template engine: ---- let Mustache = require("mustache"); Mustache.escape = function(text) {return text;}; // Sensitive let rendered = Mustache.render(template, { name: inputName }); ---- https://www.npmjs.com/package/handlebars[handlebars.js] template engine: ---- const Handlebars = require('handlebars'); let source = "

attack {{name}}

"; let template = Handlebars.compile(source, { noEscape: true }); // Sensitive ---- https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser: ---- const markdownIt = require('markdown-it'); let md = markdownIt({ html: true // Sensitive }); let result = md.render('# attack'); ---- https://www.npmjs.com/package/marked[marked] markup language parser: ---- const marked = require('marked'); marked.setOptions({ renderer: new marked.Renderer(), sanitize: false // Sensitive }); console.log(marked("# test attack/b>")); ---- https://www.npmjs.com/package/kramed[kramed] markup language parser: ---- let kramed = require('kramed'); var options = { renderer: new kramed.Renderer({ sanitize: false // Sensitive }) }; ---- == Compliant Solution https://www.npmjs.com/package/mustache[mustache.js] template engine: [source,javascript] ---- let Mustache = require("mustache"); let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default ---- https://www.npmjs.com/package/handlebars[handlebars.js] template engine: [source,javascript] ---- const Handlebars = require('handlebars'); let source = "

attack {{name}}

"; let data = { "name": "Alan" }; let template = Handlebars.compile(source); // Compliant by default noEscape is set to false ---- https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser: [source,javascript] ---- let md = require('markdown-it')(); // Compliant by default html is set to false let result = md.render('# attack'); ---- https://www.npmjs.com/package/marked[marked] markup language parser: [source,javascript] ---- const marked = require('marked'); marked.setOptions({ renderer: new marked.Renderer() }); // Compliant by default sanitize is set to true console.log(marked("# test attack/b>")); ---- https://www.npmjs.com/package/kramed[kramed] markup language parser: [source,javascript] ---- let kramed = require('kramed'); let options = { renderer: new kramed.Renderer({ sanitize: true // Compliant }) }; console.log(kramed('Attack [xss?](javascript:alert("xss")).', options)); ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 14 May 2019, 22:07:46 Lars Svensson wrote: Reference: https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml === on 10 Sep 2019, 08:28:46 Alexandre Gigleux wrote: Angular case should also be covered by this rule: * \https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml * \https://angular.io/api/platform-browser/DomSanitizer#bypassSecurityTrustHtml include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]