contrib.nodejsscan.xss_serialize_js.xss_serialize_javascript
returntocorpAuthor
99
Download Count*
License
Untrusted user input reaching serialize-javascript with unsafe attribute can cause Cross Site Scripting (XSS).
Run Locally
Run in CI
Defintion
rules:
- id: xss_serialize_javascript
patterns:
- pattern-inside: |
...
$S = require('serialize-javascript');
...
- pattern-not-inside: escape(...)
- pattern-not-inside: encodeURI(...)
- pattern: |
$S(..., {unsafe: true});
message: Untrusted user input reaching `serialize-javascript` with `unsafe`
attribute can cause Cross Site Scripting (XSS).
severity: WARNING
languages:
- javascript
metadata:
owasp: A01:2017 - Injection
cwe: "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page"
category: security
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/kXle