ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5247/javascript/rule.adoc
Arseniy Zaostrovnykh 716b335a56 Enable forced linebreaks in quotes; escape -- in url
2021-02-02 16:54:43 +01:00

113 lines
2.6 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
https://www.npmjs.com/package/mustache[mustache.js] template engine:
----
let Mustache = require("mustache");
Mustache.escape = function(text) {return text;}; // Sensitive
let rendered = Mustache.render(template, { name: inputName });
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
----
const Handlebars = require('handlebars');
let source = "<p>attack {{name}}</p>";
let template = Handlebars.compile(source, { noEscape: true }); // Sensitive
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
----
const markdownIt = require('markdown-it');
let md = markdownIt({
html: true // Sensitive
});
let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
----
const marked = require('marked');
marked.setOptions({
renderer: new marked.Renderer(),
sanitize: false // Sensitive
});
console.log(marked("# test <b>attack/b>"));
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
----
let kramed = require('kramed');
var options = {
renderer: new kramed.Renderer({
sanitize: false // Sensitive
})
};
----
== Compliant Solution
https://www.npmjs.com/package/mustache[mustache.js] template engine:
----
let Mustache = require("mustache");
let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
----
const Handlebars = require('handlebars');
let source = "<p>attack {{name}}</p>";
let data = { "name": "<b>Alan</b>" };
let template = Handlebars.compile(source); // Compliant by default noEscape is set to false
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
----
let md = require('markdown-it')(); // Compliant by default html is set to false
let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
----
const marked = require('marked');
marked.setOptions({
renderer: new marked.Renderer()
}); // Compliant by default sanitize is set to true
console.log(marked("# test <b>attack/b>"));
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
----
let kramed = require('kramed');
let options = {
renderer: new kramed.Renderer({
sanitize: true // Compliant
})
};
console.log(kramed('Attack [xss?](javascript:alert("xss")).', options));
----
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink