e8563c6351
* Update code examples of data encoding to use more vertical space * Compliant / Noncompliant code examples are one after the other
107 lines
2.8 KiB
Plaintext
107 lines
2.8 KiB
Plaintext
include::../summary.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../rationale.adoc[]
|
|
|
|
include::../impact.adoc[]
|
|
|
|
include::../threats.adoc[]
|
|
|
|
== How to fix it?
|
|
|
|
The following code is vulnerable to cross-site scripting because it returns an HTML response that contains unsanitized user input.
|
|
|
|
If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response.
|
|
For example, you can use the `JsonResponse` class to safely return JSON messages.
|
|
|
|
[cols="a"]
|
|
|===
|
|
| ==== Noncompliant Code Example
|
|
|
|
|
[source,javascript]
|
|
----
|
|
function (req, res) {
|
|
json = JSON.stringify({ "data": req.query.input });
|
|
res.send(tainted); // Noncompliant
|
|
};
|
|
----
|
|
| ==== Compliant Solution
|
|
|
|
|
[source,javascript]
|
|
----
|
|
function (req, res) {
|
|
res.json({ "data": req.query.input });
|
|
};
|
|
----
|
|
|===
|
|
|
|
It is also possible to set the content-type header manually using the `content_type` parameter when creating an `HttpResponse` object.
|
|
|
|
[cols="a"]
|
|
|===
|
|
| ==== Noncompliant Code Example
|
|
|
|
|
[source,javascript]
|
|
----
|
|
function (req, res) {
|
|
res.send(req.query.input); // Noncompliant
|
|
};
|
|
----
|
|
| ==== Compliant Solution
|
|
|
|
|
[source,javascript]
|
|
----
|
|
function (req, res) {
|
|
res.set('Content-Type', 'text/plain');
|
|
res.send(req.query.input);
|
|
};
|
|
----
|
|
|===
|
|
|
|
=== How does this work?
|
|
|
|
In case the response consists of HTML code, it is highly recommended to use a template engine like https://ejs.co/[ejs] to generate it.
|
|
This template engine separates the view from the business logic and automatically encodes the output of variables, drastically reducing the risk of cross-site scripting vulnerabilities.
|
|
|
|
If you do not intend to send HTML code to clients, the vulnerability can be resolved by telling them what data they are receiving with the `content-type` HTTP header.
|
|
This header tells the browser that the response does not contain HTML code and should not be parsed and interpreted as HTML.
|
|
Thus, the HTTP response is not vulnerable to reflected Cross-Site Scripting.
|
|
|
|
For example, setting the content-type header to `text/plain` allows to safely reflect user input since browsers will not try to parse and execute the response.
|
|
|
|
=== Pitfalls
|
|
|
|
include::../common/pitfalls/content-types.adoc[]
|
|
|
|
include::../common/pitfalls/validation.adoc[]
|
|
|
|
== Resources
|
|
|
|
include::../common/resources/docs.adoc[]
|
|
|
|
* https://expressjs.com/en/api.html[Express, 4.x API]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/presentations.adoc[]
|
|
|
|
include::../common/resources/standards.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|