ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2578/html/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

60 lines
2.1 KiB
Plaintext
Raw Blame History

In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any content sent to the user so that any malicious code that may have escaped your input screening is neutralized. Specifically, the characters crucial to forming HTML (``++&++``, ``++<++``, ``++>++``, ``++"++``, ``++'++``, and ``++/++``) must be escaped.
This rule checks that values are not written directly into ``++application/json++`` blocks or JavaScript variables.
== Noncompliant Code Example
[source,html]
----
<script id="data" type="application/json">
<%= data.json_payload %> // Noncompliant
<script>
<script>
var initialData = <%= data.json_payload =>; // Noncompliant
</script>
----
== Compliant Solution
[source,html]
----
<script id="data" type="application/json">
<c:out value="${data.json_payload}"> // by default, escapeXML="true" but it can also be specified explicitly
<script>
<script>
var initialData = <%= escape_html(data.json_payload) =>;
</script>
----
== See
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet]
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF)
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink