javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag
semgrep
Author
7,795
Download Count*
License
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.
Run Locally
Run in CI
Defintion
rules:
- id: var-in-script-tag
message: Detected a template variable used in a script tag. Although template
variables are HTML escaped, HTML escaping does not always prevent
cross-site scripting (XSS) attacks when used directly in JavaScript. If
you need this data on the rendered page, consider placing it in the HTML
portion (outside of a script tag). Alternatively, use a
JavaScript-specific encoder, such as the one available in OWASP ESAPI.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
- https://github.com/ESAPI/owasp-esapi-js
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
severity: WARNING
paths:
include:
- "*.pug"
pattern-either:
- pattern-regex: script\s*=[A-Za-z0-9]+
- pattern-regex: script\s*=.*["']\s*\+.*
- pattern-regex: script\s*=[^'"]+\+.*
- pattern-regex: script\(.*?\)\s*=\s*[A-Za-z0-9]+
- pattern-regex: script\(.*?\)\s*=\s*.*["']\s*\+.*
- pattern-regex: script\(.*?\)\s*=\s*[^'"]+\+.*
Examples
var-in-script-tag.pug
html
head
title=title
body
h1=message
a(href='/' + link)='hello'
// ruleid: var-in-script-tag
script(type="text/javascript")=src
// ruleid: var-in-script-tag
script(type="text/javascript")="a += " + a
// ruleid: var-in-script-tag
script(type="text/javascript") = a + "blah"
// ruleid: var-in-script-tag
script="var a = " + a
// ok: var-in-script-tag
script="var a = 1;"
// ok: var-in-script-tag
script="var a = 1; a+=1"
Short Link: https://sg.run/PJXp