rspec/rules/S5696/javascript/rule.adoc

DOM cross site scripting vulnerabilities occur when user-controlled data like ``++document.location.hash++`` is directly used to execute client-side code.


User-controlled data should always be considered untrusted and validated before being used to modify the DOM.


== Noncompliant Code Example

Example of basic DOM-XSS attack (\http://vulnerable/page.html#<img onerror='alert(1); src='invalid-image' />):

[source,javascript]
----
const rootDiv = document.getElementById('root'); 
const hash = decodeURIComponent(location.hash.substr(1)); 
rootDiv.innerHTML = hash;
----


== Compliant Solution

https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText[innerText] property of an html element sets or returns the text content of the element (removing all child nodes):

[source,javascript]
----
const rootDiv = document.getElementById('root'); 
const hash = decodeURIComponent(location.hash.substr(1)); 
rootDiv.innerText = hash;
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* http://www.webappsec.org/projects/articles/071105.shtml[webappsec.org] -  DOM Based Cross Site Scripting or XSS of the Third Kind
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

endif::env-github,rspecator-view[]