ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5247/javascript/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

147 lines
3.3 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
https://www.npmjs.com/package/mustache[mustache.js] template engine:
----
let Mustache = require("mustache");
Mustache.escape = function(text) {return text;}; // Sensitive
let rendered = Mustache.render(template, { name: inputName });
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
----
const Handlebars = require('handlebars');
let source = "<p>attack {{name}}</p>";
let template = Handlebars.compile(source, { noEscape: true }); // Sensitive
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
----
const markdownIt = require('markdown-it');
let md = markdownIt({
html: true // Sensitive
});
let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
----
const marked = require('marked');
marked.setOptions({
renderer: new marked.Renderer(),
sanitize: false // Sensitive
});
console.log(marked("# test <b>attack/b>"));
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
----
let kramed = require('kramed');
var options = {
renderer: new kramed.Renderer({
sanitize: false // Sensitive
})
};
----
== Compliant Solution
https://www.npmjs.com/package/mustache[mustache.js] template engine:
[source,javascript]
----
let Mustache = require("mustache");
let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default
----
https://www.npmjs.com/package/handlebars[handlebars.js] template engine:
[source,javascript]
----
const Handlebars = require('handlebars');
let source = "<p>attack {{name}}</p>";
let data = { "name": "<b>Alan</b>" };
let template = Handlebars.compile(source); // Compliant by default noEscape is set to false
----
https://www.npmjs.com/package/markdown-it[markdown-it] markup language parser:
[source,javascript]
----
let md = require('markdown-it')(); // Compliant by default html is set to false
let result = md.render('# <b>attack</b>');
----
https://www.npmjs.com/package/marked[marked] markup language parser:
[source,javascript]
----
const marked = require('marked');
marked.setOptions({
renderer: new marked.Renderer()
}); // Compliant by default sanitize is set to true
console.log(marked("# test <b>attack/b>"));
----
https://www.npmjs.com/package/kramed[kramed] markup language parser:
[source,javascript]
----
let kramed = require('kramed');
let options = {
renderer: new kramed.Renderer({
sanitize: true // Compliant
})
};
console.log(kramed('Attack [xss?](javascript:alert("xss")).', options));
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 14 May 2019, 22:07:46 Lars Svensson wrote:
Reference:
https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
=== on 10 Sep 2019, 08:28:46 Alexandre Gigleux wrote:
Angular case should also be covered by this rule:
* \https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml
* \https://angular.io/api/platform-browser/DomSanitizer#bypassSecurityTrustHtml
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink