javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes
semgrep
Author
7,795
Download Count*
License
Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.
Run Locally
Run in CI
Defintion
rules:
- id: template-and-attributes
message: Detected a unescaped variables using '&attributes'. If external data
can reach these locations, your application is exposed to a cross-site
scripting (XSS) vulnerability. If you must do this, ensure no external
data can reach this location.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://pugjs.org/language/attributes.html#attributes
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
severity: WARNING
paths:
include:
- "*.pug"
pattern-regex: .*&attributes.*
Examples
and-attributes.pug
// cf. https://github.com/abdulaz1z/nodejs-pug-starter/blob/42b48dd68416a87904258d1228686321206efc36/views/index.pug
doctype html
html(lang="en")
include includes/head.pug
body
//- Navigation
nav(class="navbar navbar-expand-lg navbar-dark bg-dark fixed-bottom")
div(class="container")
a(class="navbar-brand" href="/") NodeJs-Pug-Starter
button(class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation")
// ruleid: template-and-attributes
span()&attributes({"class": "navbar-toggler-icon"})
div(class="collapse navbar-collapse" id="navbarResponsive")
ul(class="navbar-nav ml-auto")
li(class="nav-item")
a(class="nav-link" href="/") Home
li(class="nav-item")
a(class="nav-link" target="_blank" href!="/docs") Documentation
//- Page Content
section
div(class="container")
div(class="row")
div(class="col-lg-6")
- var attrs = {};
- attrs.class = "mb-5";
// ruleid: template-and-attributes
h1(class="mt-5 text-white")&attributes(attrs) Simple App
p(class= "text-light") This project is a simple application skeleton for a NodeJs web app with PugJs templating. You can use it to quickly bootstrap your NodeJs webapp projects and dev environment for these projects.
script(src='vendor/jquery/jquery.min.js')
script(src='vendor/bootstrap/js/bootstrap.bundle.min.js')
Short Link: https://sg.run/Q5jk