contrib.nodejsscan.xss_templates.squirrelly_autoescape

returntocorp

Author

Download Count*

License

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: squirrelly_autoescape
    pattern: $X.autoEscaping(false)
    message: Handlebars SafeString will not escape the data passed through it.
      Untrusted user input passing through SafeString can cause XSS.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation
        ('Cross-site Scripting')"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

xss_templates.js

function name() {
    var x = '<h1>hell0</h1>'
    // ruleid:handlebars_safestring
    var y = new Handlebars.SafeString(x);
    // ruleid:handlebars_safestring
    return new Handlebars.SafeString('<img src="" onload=alert(0)>');
}

function test2() {
    var x = 'foooo'
    var z = new Handlebars;
    // ruleid:handlebars_safestring
    var xx = z.SafeString(x)
    return xx;
}


// ruleid:handlebars_noescape
var template = Handlebars.compile(source, { noEscape: true });
var template = "This is {{target}}";
var target = "user's pictures";
// ruleid:handlebars_noescape
var result = Handlerbars.compile(template, { noEscape: true })({ target: target });
// ruleid:squirrelly_autoescape
Sqrl.autoEscaping(false)

Short Link: https://sg.run/OPnw