generic.html-templates.security.var-in-script-tag.var-in-script-tag

Community Favorite
profile photo of semgrepsemgrep
Author
76,191
Download Count*

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).

Run Locally

Run in CI

Defintion

rules:
  - id: var-in-script-tag
    message: Detected a template variable used in a script tag. Although template
      variables are HTML escaped, HTML escaping does not always prevent
      cross-site scripting (XSS) attacks when used directly in JavaScript. If
      you need this data on the rendered page, consider placing it in the HTML
      portion (outside of a script tag). Alternatively, use a
      JavaScript-specific encoder, such as the one available in OWASP ESAPI. For
      Django, you may also consider using the 'json_script' template tag and
      retrieving the data in your script by using the element ID (e.g.,
      `document.getElementById`).
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A
        - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
        - https://github.com/ESAPI/owasp-esapi-js
      category: security
      technology:
        - html-templates
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - generic
    paths:
      include:
        - "*.mustache"
        - "*.hbs"
        - "*.html"
    severity: WARNING
    patterns:
      - pattern-inside: <script ...> ... </script>
      - pattern-not-inside: <script ... $ATTR = "..." ...>
      - pattern-not-inside: <script ... $ATTR = '...' ...>
      - pattern: "{{ ... }}"

Examples

var-in-script-tag.html

<!DOCTYPE html>
<html>
    <head></head>
    <body>
        <script>
            // ruleid: var-in-script-tag
            const mydata = {{ mydata_json|safe }};
            // ruleid: var-in-script-tag
            const moredata = {{ mydata_json }};
        </script>
        <div>
            <!-- ok: var-in-script-tag -->
            <p>{{ this_is_fine }}</p>
        </div>
    </body>

    <!-- ok: var-in-script-tag -->
    <script src="./{{ reactDemoIndexBundleJs }}" crossOrigin="anonymous" integrity="{{ sri.reactDemoIndexBundleJs }}"></script>

</html>

var-in-script-tag.mustache

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>

<head>
    <title>Demo Mustache.JS</title>
    <meta charset="utf-8">
    <link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
    <script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
    <script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
    <script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
    <script type="text/javascript" src="demo-mustache.js"></script>
</head>

<body onload="carregarDemo();">
    <div class="content">
        <div id="mustache-header"></div>
        <div id="mustache-cards"></div>
    </div>
</body>

<script type="text/javascript">
    <!-- ruleid: var-in-script-tag -->
    var message = {{ message }};
</script>

<script type="text/javascript">
    <!-- ruleid: var-in-script-tag -->
    var message = {{ message }};
    console.log(message);
    console.log("more statements here");
    <!-- ruleid: var-in-script-tag -->
    var message2 = {{ message2 }};
    var flash = document.getElementById("flash");
    flash.text = message;
</script>

<script type="text/javascript" src="mustache.js"></script>
<!-- ok: var-in-script-tag -->
{{ message }}
<script type="text/javascript" src="demo.js"></script>

<div class="text-center">
    <h2>Apresentando o time da <b>{{time.nome}}</b></h2>
    <h6>Predio {{time.predio}}</h6>
</div>
{{#time}}
<div class="container" style="margin-top: 30px;">
    <div class="row">
        {{#squads}}
        <div class="col-sm-6">
            <div class="card">
                <div class="card-header text-center">
                    <b>{{nome}}</b>
                </div>
                <div class="card-body">
                    {{! Partial de tabela de membros do Squad }}
                    {{> template-table}}
                </div>
            </div>
        </div>
        {{/squads}}
    </div>
</div>
{{/time}}

<!-- ok: var-in-script-tag -->
<script src="./{{ reactDemoIndexBundleJs }}" crossOrigin="anonymous" integrity="{{ sri.reactDemoIndexBundleJs }}"></script>

</html>