javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape

profile photo of semgrepsemgrep
Author
7,795
Download Count*
LGPL Commons Clause
License

Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: template-explicit-unescape
    message: Detected an explicit unescape in an EJS template, using '<%- ... %>' If
      external data can reach these locations, your application is exposed to a
      cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this
      data. If you need escaping, ensure no external data can reach this
      location.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/
      category: security
      technology:
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - regex
    severity: WARNING
    paths:
      include:
        - "*.ejs"
        - "*.html"
    pattern-regex: <%-((?!include).)*?%>
    fix-regex:
      regex: <%-(.*?)%>
      replacement: <%=\1%>

Examples

explicit-unescape.ejs

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>

<head>
    <title>Demo Mustache.JS</title>
    <meta charset="utf-8">
    <link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
    <script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
    <script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
    <script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
    <script type="text/javascript" src="demo-mustache.js"></script>
</head>

<body onload="carregarDemo();">
    <div class="content">
        <div id="mustache-header"></div>
        <div id="mustache-cards"></div>
    </div>
</body>

<div class="jumbotron text-center">
    <!-- ruleid: template-explicit-unescape -->
    <h1 class="display-4">Oi, meu nome é <%- autor.nome %> <%= autor.sobrenome %>!</h1>
    <p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
</div>

<div class="text-center">
    <!-- ok: template-explicit-unescape -->
    <h2>Apresentando o time da <b><%= time.nome %></b></h2>
    <!-- ruleid: template-explicit-unescape -->
    <h6>Predio <%- time.predio %></h6>
</div>
<div class="container" style="margin-top: 30px;">
    <div class="row">
        <div class="col-sm-6">
            <div class="card">
                <div class="card-header text-center">
                    <!-- ruleid: template-explicit-unescape -->
                    <b><%- nome %></b>
                </div>
                <div class="card-body">
                    <!-- ok: template-explicit-unescape -->
                    <%= template-table %>
                </div>
                <div>
                    <!-- ok: template-explicit-unescape -->
                    <%- include('partials/example', {data: data}); %>
                </div>
            </div>
        </div>
    </div>
</div>

</html>