javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag

rules:
  - id: var-in-script-tag
    message: Detected a template variable used in a script tag. Although template
      variables are HTML escaped, HTML escaping does not always prevent
      cross-site scripting (XSS) attacks when used directly in JavaScript. If
      you need this data on the rendered page, consider placing it in the HTML
      portion (outside of a script tag). Alternatively, use a
      JavaScript-specific encoder, such as the one available in OWASP ESAPI.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
        - https://github.com/ESAPI/owasp-esapi-js
      category: security
      technology:
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - regex
    severity: WARNING
    paths:
      include:
        - "*.pug"
    pattern-either:
      - pattern-regex: script\s*=[A-Za-z0-9]+
      - pattern-regex: script\s*=.*["']\s*\+.*
      - pattern-regex: script\s*=[^'"]+\+.*
      - pattern-regex: script\(.*?\)\s*=\s*[A-Za-z0-9]+
      - pattern-regex: script\(.*?\)\s*=\s*.*["']\s*\+.*
      - pattern-regex: script\(.*?\)\s*=\s*[^'"]+\+.*