html.security.audit.insecure-document-method.insecure-document-method

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected the use of an inner/outerHTML assignment. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use a dangerous web API, consider using a sanitization library such as DOMPurify to sanitize the HTML before it is assigned.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-document-method
    message: Detected the use of an inner/outerHTML assignment.  This can introduce
      a Cross-Site-Scripting (XSS) vulnerability if this  comes from
      user-provided input. If you have to use a dangerous web API,  consider
      using a sanitization library such as DOMPurify to sanitize  the HTML
      before it is assigned.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      category: security
      technology:
        - browser
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - html
    severity: WARNING
    patterns:
      - pattern-inside: |
          <script ...>$...A</script>
      - metavariable-pattern:
          metavariable: $...A
          language: javascript
          patterns:
            - pattern-either:
                - patterns:
                    - pattern-either:
                        - pattern: $X. ... .innerHTML = ...
                        - pattern: $X. ... .outerHTML = ...
                    - pattern-not: $X. ... .$V = "..."
            - focus-metavariable: $X

Examples

insecure-document-method.html

<!-- ruleid: insecure-document-method-->
<script>
    const rootDiv = document.getElementById('root');
    import { sanitize } from "dompurify"
    const hash = location.hash.slice(1)
    

    rootDiv.innerHTML = hash1;
    
    const obj2 = { foo: 'baz', y: hash1 };
    
    const clonedObj = { ...obj2 };
    
    
    rootDiv.outerHTML = clonedObj.y;
    
    // ok: insecure-document-method
    rootDiv.innerHTML = "safe";
    
    
    
    </script>