ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5439/python/rule.adoc
Arseniy Zaostrovnykh a6e4582881 Fix the missing default metadata fields
2021-04-28 18:08:03 +02:00

56 lines
3.1 KiB
Plaintext
Raw Blame History

Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.
By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.
Escaping HTML from template variables prevents switching into any execution context, like ``++<script>++``. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.
A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:
* Forced redirection
* Modify presentation of content
* User accounts takeover after disclosure of sensitive information like session cookies or passwords
This rule supports the following libraries:
* https://github.com/django/django[Django Templates]
* https://github.com/pallets/jinja[Jinja2]
== Noncompliant Code Example
----
from jinja2 import Environment
env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant
----
== Compliant Solution
----
from jinja2 import Environment
env = Environment(autoescape=True) # Compliant
----
== See
* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A9] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/79.html[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/80.html[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
* https://cwe.mitre.org/data/definitions/81.html[MITRE, CWE-81] - Improper Neutralization of Script in an Error Message Web Page
* https://cwe.mitre.org/data/definitions/82.html[MITRE, CWE-82] - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
* https://cwe.mitre.org/data/definitions/83.html[MITRE, CWE-83] - Improper Neutralization of Script in Attributes in a Web Page
* https://cwe.mitre.org/data/definitions/84.html[MITRE, CWE-84] - Improper Neutralization of Encoded URI Schemes in a Web Page
* https://cwe.mitre.org/data/definitions/85.html[MITRE, CWE-85] - Doubled Character XSS Manipulations
* https://cwe.mitre.org/data/definitions/86.html[MITRE, CWE-86] - Improper Neutralization of Invalid Characters in Identifiers in Web Pages
* https://cwe.mitre.org/data/definitions/87.html[MITRE, CWE-87] - Improper Neutralization of Alternate XSS Syntax
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
Reference in New Issue View Git Blame Copy Permalink