JS: add qhelp

javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.qhelp

@@ -0,0 +1,86 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+
+			Sanitizing untrusted input for HTML meta-characters is an important
+			technique for preventing cross-site scripting attacks. Usually, this
+			is done by escaping <code>&lt;</code>, <code>&gt;</code>,
+			<code>&amp;</code> and <code>&quot;</code>. But the context in which
+			the sanitized value is used decides which characters that actually
+			need to be sanitized.
+
+		</p>
+
+		<p>
+
+			As a consequence, some programs only sanitize
+			<code>&lt;</code> and <code>&gt;</code> since those are the most
+			common dangerous characters. The lack of sanitization for
+			<code>&quot;</code> is problematic when an incompletely sanitized
+			value is used as an HTML attribute in a string that
+			<strong>later</strong> is parsed as HTML.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		Sanitize all relevant HTML meta-characters when constructing
+		HTML dynamically, pay special attention to where the sanitized value is used.
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example code writes part of an HTTP request (which is
+			controlled by the user) to an HTML attribute of the server response.
+
+			The user-controlled value is, however, not sanitized for
+			<code>&quot;</code>. This leaves the website vulnerable to cross-site
+			scripting since an attacker can use a string like <code>"
+			onclick="alert(42)</code> to inject JavaScript code into the response.
+
+		</p>
+		<sample src="examples/IncompleteHtmlAttributeSanitization.js" />
+
+
+		<p>
+
+			Sanitizing the user-controlled data for
+			<code>&quot;</code> prevents the vulnerability:
+
+		</p>
+
+		<sample src="examples/IncompleteHtmlAttributeSanitizationGood.js" />
+
+	</example>
+
+	<references>
+		<li>
+			OWASP:
+			<a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html">DOM based
+			XSS Prevention Cheat Sheet</a>.
+		</li>
+		<li>
+			OWASP:
+			<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
+			(Cross Site Scripting) Prevention Cheat Sheet</a>.
+		</li>
+		<li>
+			OWASP
+			<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+			Scripting</a>.
+		</li>
+		<li>
+			Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+		</li>
+	</references>
+
+</qhelp>

javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitization.js

@@ -0,0 +1,9 @@
+var app = require('express')();
+
+app.get('/user/:id', function(req, res) {
+	let id = req.params.id;
+	id = id.replace(/<|>/g, ""); // BAD
+	let userHtml = `<div data-id="${id}">${getUserName(id)} || Unknown name</div>`;
+	// ...
+	res.send(prefix + userHtml + suffix);
+});

javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitizationGood.js

@@ -0,0 +1,9 @@
+var app = require('express')();
+
+app.get('/user/:id', function(req, res) {
+	let id = req.params.id;
+	id = id.replace(/<|>|&|"/g, ""); // GOOD
+	let userHtml = `<div data-id="${id}">${getUserName(id)} || Unknown name</div>`;
+	// ...
+	res.send(prefix + userHtml + suffix);
+});