mirror of
https://github.com/github/codeql.git
synced 2026-05-10 01:10:09 +02:00
55 lines
1.5 KiB
XML
55 lines
1.5 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
Directly writing exceptions to a webpage without sanitization allows for a cross-site scripting
|
|
vulnerability if the value of the exception can be influenced by a user.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
To guard against cross-site scripting, consider using contextual output encoding/escaping before
|
|
writing user input to the page, or one of the other solutions that are mentioned in the
|
|
references.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following example shows an exception being written directly to the document,
|
|
and this exception can potentially be influenced by the page URL,
|
|
leaving the website vulnerable to cross-site scripting.
|
|
</p>
|
|
<sample src="examples/ExceptionXss.js" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html">DOM based
|
|
XSS Prevention Cheat Sheet</a>.
|
|
</li>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
|
|
(Cross Site Scripting) Prevention Cheat Sheet</a>.
|
|
</li>
|
|
<li>
|
|
OWASP
|
|
<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
|
|
</li>
|
|
<li>
|
|
OWASP
|
|
<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
|
|
Scripting</a>.
|
|
</li>
|
|
<li>
|
|
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
|
|
</li>
|
|
</references>
|
|
</qhelp>
|