mirror of
https://github.com/github/codeql.git
synced 2026-04-12 02:24:00 +02:00
56 lines
1.8 KiB
XML
56 lines
1.8 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
Directly writing user input (for example, an HTTP request parameter) to a webpage,
|
|
without properly sanitizing the input first, allows for a cross-site scripting
|
|
vulnerability.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
To guard against cross-site scripting, escape user input before writing it
|
|
to the page. Some frameworks, such as Rails, perform this escaping
|
|
implicitly and by default.
|
|
</p>
|
|
|
|
<p>
|
|
Take care when using methods such as <code>html_safe</code> or
|
|
<code>raw</code>. They can be used to emit a string without escaping
|
|
it, and should only be used when the string has already been manually
|
|
escaped (for example, with the Rails <code>html_escape</code> method), or when
|
|
the content is otherwise guaranteed to be safe (such as a hard-coded string).
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following example is safe because the
|
|
<code>params[:user_name]</code> content within the output tags will be
|
|
HTML-escaped automatically before being emitted.
|
|
</p>
|
|
<sample src="examples/safe.html.erb" />
|
|
|
|
<p>
|
|
However, the following example is unsafe because user-controlled input is
|
|
output without escaping, since it is marked as <code>html_safe</code>.
|
|
</p>
|
|
<sample src="examples/reflective_xss.html.erb" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
|
|
Ruby on Rails Cheatsheet</a>.
|
|
</li>
|
|
<li>
|
|
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
|
|
</li>
|
|
</references>
|
|
</qhelp>
|