javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag
Community Favorite
semgrepAuthor
12,582
Download Count*
License
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.
Run Locally
Run in CI
Defintion
rules:
- id: var-in-script-tag
message: Detected a template variable used in a script tag. Although template
variables are HTML escaped, HTML escaping does not always prevent
cross-site scripting (XSS) attacks when used directly in JavaScript. If
you need this data on the rendered page, consider placing it in the HTML
portion (outside of a script tag). Alternatively, use a
JavaScript-specific encoder, such as the one available in OWASP ESAPI.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
- https://github.com/ESAPI/owasp-esapi-js
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
severity: WARNING
patterns:
- pattern-inside: <script ...> ... </script>
- pattern-not-inside: <script ... $ATTR = "..." ...>
- pattern-not-inside: <script ... $ATTR = '...' ...>
- pattern: <% ... >
paths:
include:
- "*.ejs"
- "*.html"
Examples
var-in-script-tag.ejs
<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>
<head>
<title>Demo Mustache.JS</title>
<meta charset="utf-8">
<link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
<script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
<script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
<script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
<script type="text/javascript" src="demo-mustache.js"></script>
</head>
<body onload="carregarDemo();">
<div class="content">
<div id="mustache-header"></div>
<div id="mustache-cards"></div>
</div>
</body>
<script type="text/javascript">
<!-- ruleid: var-in-script-tag -->
var message = <%= message %>;
</script>
<script type="text/javascript">
<!-- ruleid: var-in-script-tag -->
var message = <%= message %>;
console.log(message);
console.log("more statements here");
<!-- ruleid: var-in-script-tag -->
var message2 = <%= message2 %>;
var flash = document.getElementById("flash");
flash.text = message;
</script>
<script src="app.js"></script>
<!-- ok: var-in-script-tag -->
<%= title %>
<script src="script.js"></script>
<div class="text-center">
<h2>Apresentando o time da <b><%= time.nome %></b></h2>
<h6>Predio <%= time.predio %></h6>
</div>
<div class="container" style="margin-top: 30px;">
<div class="row">
<div class="col-sm-6">
<div class="card">
<div class="card-header text-center">
<b><%= nome %></b>
</div>
<div class="card-body">
<%= template-table %>
</div>
</div>
</div>
</div>
</div>
<!-- ok: var-in-script-tag -->
<script src="./<%=reactDemoIndexBundleJs %>" crossOrigin="anonymous" integrity="<%=sri.reactDemoIndexBundleJs %>"></script>
</html>
Short Link: https://sg.run/Ek9L