javascript.express.security.audit.xss.mustache.var-in-script-tag.var-in-script-tag

Community Favorite
profile photo of returntocorpreturntocorp
Author
12,582
Download Count*

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.

Run Locally

Run in CI

Defintion

rules:
  - id: var-in-script-tag
    message: Detected a template variable used in a script tag. Although template
      variables are HTML escaped, HTML escaping does not always prevent
      cross-site scripting (XSS) attacks when used directly in JavaScript. If
      you need this data on the rendered page, consider placing it in the HTML
      portion (outside of a script tag). Alternatively, use a
      JavaScript-specific encoder, such as the one available in OWASP ESAPI.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
        - https://github.com/ESAPI/owasp-esapi-js
      category: security
      technology:
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    severity: WARNING
    patterns:
      - pattern-inside: <script ...> ... </script>
      - pattern: "{{ ... }}"
    paths:
      include:
        - "*.mustache"
        - "*.hbs"
        - "*.html"

Examples

var-in-script-tag.mustache

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>

<head>
    <title>Demo Mustache.JS</title>
    <meta charset="utf-8">
    <link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
    <script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
    <script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
    <script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
    <script type="text/javascript" src="demo-mustache.js"></script>
</head>

<body onload="carregarDemo();">
    <div class="content">
        <div id="mustache-header"></div>
        <div id="mustache-cards"></div>
    </div>
</body>

<script type="text/javascript">
    <!-- ruleid: var-in-script-tag -->
    var message = {{ message }};
</script>

<script type="text/javascript">
    <!-- ruleid: var-in-script-tag -->
    var message = {{ message }};
    console.log(message);
    console.log("more statements here");
    <!-- ruleid: var-in-script-tag -->
    var message2 = {{ message2 }};
    var flash = document.getElementById("flash");
    flash.text = message;
</script>

<script type="text/javascript" src="mustache.js"></script>
<!-- ok: var-in-script-tag -->
{{ message }}
<script type="text/javascript" src="demo.js"></script>

<div class="text-center">
    <h2>Apresentando o time da <b>{{time.nome}}</b></h2>
    <h6>Predio {{time.predio}}</h6>
</div>
{{#time}}
<div class="container" style="margin-top: 30px;">
    <div class="row">
        {{#squads}}
        <div class="col-sm-6">
            <div class="card">
                <div class="card-header text-center">
                    <b>{{nome}}</b>
                </div>
                <div class="card-body">
                    {{! Partial de tabela de membros do Squad }}
                    {{> template-table}}
                </div>
            </div>
        </div>
        {{/squads}}
    </div>
</div>
{{/time}}

</html>