generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param

profile photo of semgrepsemgrep
Author
unknown
Download Count*

To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape="true" attribute on apex:outputText tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.

Run Locally

Run in CI

Defintion

rules:
  - id: xss-from-unescaped-url-param
    languages:
      - generic
    severity: ERROR
    message: To remediate this issue, ensure that all URL parameters are properly
      escaped before including them in scripts. Please update your code to use
      either the JSENCODE method to escape URL parameters or the escape="true"
      attribute on <apex:outputText> tags. Passing URL parameters directly into
      scripts and DOM sinks creates an opportunity for Cross-Site Scripting
      attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in
      which malicious scripts are injected into otherwise benign and trusted
      websites. To remediate this issue, ensure that all URL parameters are
      properly escaped before including them in scripts.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm
      category: security
      subcategory:
        - vuln
      technology:
        - salesforce
        - visualforce
      cwe2022-top25: true
      cwe2021-top25: true
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    patterns:
      - pattern-either:
          - pattern: <apex:outputText...escape="false"...value="{!...CurrentPage.parameters.$URL_PARAM}".../>
          - pattern: <apex:outputText...value="{!...CurrentPage.parameters.$URL_PARAM}"...escape="false".../>
          - pattern: <script>...'{!...CurrentPage.parameters.$URL_PARAM}'...</script>
      - pattern-not: <script>...'{!...JSENCODE(...CurrentPage.parameters.$URL_PARAM})'...</script>
    paths:
      include:
        - "*.component"
        - "*.page"

Examples

XSSFromUnescapedURLParam.page

<!-- ruleid: xss-from-unescaped-url-param -->
<apex:outputText escape="false" value="{!$CurrentPage.parameters.urlParam}" />

<!-- ok: xss-from-unescaped-url-param -->
<apex:outputText escape="true" value="{!$CurrentPage.parameters.urlParam}" />

<!-- ok: xss-from-unescaped-url-param -->
<apex:outputText value="{!$CurrentPage.parameters.urlParam}" />

<!-- ruleid: xss-from-unescaped-url-param -->
<script>var foo = '{!$CurrentPage.parameters.urlParam}';</script>

<!-- ok: xss-from-unescaped-url-param -->
<script>var foo = '{!JSENCODE($CurrentPage.parameters.urlParam)}';</script>