ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5439/python/rule.adoc
Marco Borgeaud 34814f787b
Remove links to SANS Top 25 CWEs (#3322) 
These links are no longer relevant since SANS now just link to CWE, and we already have links to CWEs.
2023-10-18 13:16:00 +00:00

79 lines
3.4 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.
By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.
Escaping HTML from template variables prevents switching into any execution context, like ``++<script>++``. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.
A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:
* Forced redirection
* Modify presentation of content
* User accounts takeover after disclosure of sensitive information like session cookies or passwords
This rule supports the following libraries:
* https://github.com/django/django[Django Templates]
* https://github.com/pallets/jinja[Jinja2]
=== Noncompliant code example
[source,python]
----
from jinja2 import Environment
env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant
----
=== Compliant solution
[source,python]
----
from jinja2 import Environment
env = Environment(autoescape=True) # Compliant
----
== Resources
* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/80[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
* https://cwe.mitre.org/data/definitions/81[MITRE, CWE-81] - Improper Neutralization of Script in an Error Message Web Page
* https://cwe.mitre.org/data/definitions/82[MITRE, CWE-82] - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
* https://cwe.mitre.org/data/definitions/83[MITRE, CWE-83] - Improper Neutralization of Script in Attributes in a Web Page
* https://cwe.mitre.org/data/definitions/84[MITRE, CWE-84] - Improper Neutralization of Encoded URI Schemes in a Web Page
* https://cwe.mitre.org/data/definitions/85[MITRE, CWE-85] - Doubled Character XSS Manipulations
* https://cwe.mitre.org/data/definitions/86[MITRE, CWE-86] - Improper Neutralization of Invalid Characters in Identifiers in Web Pages
* https://cwe.mitre.org/data/definitions/87[MITRE, CWE-87] - Improper Neutralization of Alternate XSS Syntax
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Remove this configuration disabling autoescape globally.
'''
== Comments And Links
(visible only on this page)
=== on 20 Sep 2019, 14:25:22 Pierre-Yves Nicolas wrote:
\[~pierre-loup.tristant] What should be the message displayed on the issues raised for this RSPEC?
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink