hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add qhelp

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-04-26 11:47:52 +02:00
parent ee0140e704
commit 7ef641e7b2
4 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp Normal file
View File

@@ -0,0 +1,80 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Dynamically constructing HTML with inputs from exported functions may
inadvertently leave a client open to XSS attacks.
Clients using the exported function may use inputs containing unsafe HTML,
and if these inputs end up in the DOM, the client may be vulnerable to
cross-site scripting attacks.
</p>
</overview>
<recommendation>
<p>
If possible, use safe APIs when inserting HTML into the DOM.
Such as writing to the <code>innerText</code> property instead of <code>innerHTML</code>.
</p>
<p>
Alternatively, use a HTML sanitizer to escape/remove unsafe content.
</p>
</recommendation>
<example>
<p>
The following example shows a library function that shows a boldface name
by writing to the <code>innerHTML</code> property of an element.
</p>
<sample src="examples/unsafe-html-construction.js" />
<p>
This library function, however, does not escape unsafe HTML, and a client
that calls the function with user-supplied input may be vulnerable to
cross-site scripting attacks.
</p>
<p>
To avoid such attacks, a program can use safe APIs such as <code>innerText</code>.
</p>
<sample src="examples/unsafe-html-construction_safe.js" />
<p>
Alternatively, use a HTML sanitizer to remove unsafe content.
</p>
<sample src="examples/unsafe-html-construction_sanitizer.js" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">DOM based
XSS Prevention Cheat Sheet</a>.
</li>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
(Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
<li>
OWASP
<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
</li>
<li>
OWASP
<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
Scripting</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
</references>
</qhelp>

3
javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports = function showBoldName(name) {
document.getElementById('name').innerHTML = "<b>" + name + "</b>";
}

5
javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_safe.js Normal file
View File

@@ -0,0 +1,5 @@
module.exports = function showBoldName(name) {
const bold = document.createElement('b');
bold.innerText = name;
document.getElementById('name').appendChild(bold);
}

5
javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_sanitizer.js Normal file
View File

@@ -0,0 +1,5 @@
const striptags = require('striptags');
module.exports = function showBoldName(name) {
document.getElementById('name').innerHTML = "<b>" + striptags(name) + "</b>";
}