ajinabraham.njsscan.xss_serialize_js.xss_serialize_javascript

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
License

Untrusted user input reaching serialize-javascript with unsafe attribute can cause Cross Site Scripting (XSS).

Run Locally

Run in CI

Defintion

rules:
  - id: xss_serialize_javascript
    patterns:
      - pattern-inside: |
          $S = require('serialize-javascript')
          ...
      - pattern-not-inside: escape(...)
      - pattern-not-inside: encodeURI(...)
      - pattern: |
          $S(..., {unsafe: true})
    message: Untrusted user input reaching `serialize-javascript` with `unsafe`
      attribute can cause Cross Site Scripting (XSS).
    severity: WARNING
    languages:
      - javascript
    metadata:
      owasp-web: a1
      cwe: cwe-80
      license: LGPL-3.0-or-later