hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

update qhelp

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-04-20 12:59:17 +02:00
parent 73b0aa4004
commit 9fc29ee0f8
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp
View File

@@ -8,9 +8,9 @@
Extracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.
</p>
<p>
A webpage with this vulnerability unescapes an otherwise sanitized text,
and thereby allows an attacker to use sanitized text in the DOM to perform a
cross-site scripting attack.
A webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM.
Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text.
If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.
</p>
</overview>