html.security.audit.insecure-document-method.insecure-document-method
semgrep
Author
unknown
Download Count*
License
Detected the use of an inner/outerHTML assignment. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use a dangerous web API, consider using a sanitization library such as DOMPurify to sanitize the HTML before it is assigned.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-document-method
message: Detected the use of an inner/outerHTML assignment. This can introduce
a Cross-Site-Scripting (XSS) vulnerability if this comes from
user-provided input. If you have to use a dangerous web API, consider
using a sanitization library such as DOMPurify to sanitize the HTML
before it is assigned.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
category: security
technology:
- browser
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- html
severity: WARNING
patterns:
- pattern-inside: |
<script ...>$...A</script>
- metavariable-pattern:
metavariable: $...A
language: javascript
patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: $X. ... .innerHTML = ...
- pattern: $X. ... .outerHTML = ...
- pattern-not: $X. ... .$V = "..."
- focus-metavariable: $X
Examples
insecure-document-method.html
<!-- ruleid: insecure-document-method-->
<script>
const rootDiv = document.getElementById('root');
import { sanitize } from "dompurify"
const hash = location.hash.slice(1)
rootDiv.innerHTML = hash1;
const obj2 = { foo: 'baz', y: hash1 };
const clonedObj = { ...obj2 };
rootDiv.outerHTML = clonedObj.y;
// ok: insecure-document-method
rootDiv.innerHTML = "safe";
</script>
Short Link: https://sg.run/v4q4