70f7535988
The Code Scanning UI shows just the first paragraph of the query help as a summary, until a user chooses to expand the help. We decided it was more useful to display the standard query help in this summary compared to the experimental query notice, since there is already a notice about experimental queries on the alert show page.
1.7 KiB
Client-side cross-site scripting (experimental)
Directly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.
This kind of vulnerability is also called DOM-based cross-site scripting, to distinguish it from other types of cross-site scripting.
Note: This CodeQL query is an experimental query. Experimental queries generate alerts using machine learning. They might include more false positives but they will improve over time.
Recommendation
To guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.
Example
The following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.
function setLanguageOptions() {
var href = document.location.href,
deflt = href.substring(href.indexOf("default=")+8);
document.write("<OPTION value=1>"+deflt+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
}
References
- OWASP: DOM based XSS Prevention Cheat Sheet.
- OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet.
- OWASP DOM Based XSS.
- OWASP Types of Cross-Site Scripting.
- Wikipedia: Cross-site scripting.