javascript.browser.security.insecure-document-method.insecure-document-method
semgrepAuthor
4,974
Download Count*
License
User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
Run Locally
Run in CI
Defintion
rules:
- id: insecure-document-method
message: User controlled data in methods like `innerHTML`, `outerHTML` or
`document.write` is an anti-pattern that can lead to XSS vulnerabilities
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
category: security
technology:
- browser
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: ERROR
patterns:
- pattern-either:
- pattern: |
$EL.innerHTML = $HTML;
- pattern: |
$EL.outerHTML = $HTML;
- pattern: document.write(...)
- pattern-not: |
$EL.innerHTML = "...";
- pattern-not: |
$EL.outerHTML = "...";
- pattern-not: document.write("...")
Examples
insecure-document-method.js
const el = element.innerHTML;
function bad1(userInput) {
// ruleid: insecure-document-method
el.innerHTML = '<div>' + userInput + '</div>';
}
function bad2(userInput) {
// ruleid: insecure-document-method
document.body.outerHTML = userInput;
}
function bad3(userInput) {
const name = '<div>' + userInput + '</div>';
// ruleid: insecure-document-method
document.write(name);
}
function ok1() {
const name = "<div>it's ok</div>";
// ok: insecure-document-method
el.innerHTML = name;
}
function ok2() {
// ok: insecure-document-method
document.write("<div>it's ok</div>");
}
Short Link: https://sg.run/LwA9