javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup

semgrep

Author

4,562

Download Count*

LGPL Commons Clause

License

User controlled data in a createNodesFromMarkup is an anti-pattern that can lead to XSS vulnerabilities

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: insecure-createnodesfrommarkup
    message: User controlled data in a `createNodesFromMarkup` is an anti-pattern
      that can lead to XSS vulnerabilities
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      category: security
      technology:
        - fbjs
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: createNodesFromMarkup(...)
          - pattern: $X.createNodesFromMarkup(...)
      - pattern-not: createNodesFromMarkup("...",...)
      - pattern-not: $X.createNodesFromMarkup("...",...)

Examples

insecure-createnodesfrommarkup.js


function ok1() {
// ok: insecure-createnodesfrommarkup
  createNodesFromMarkup('<div></div', function () {
    handleIt();
  })
}

function bad1(input) {
// ruleid: insecure-createnodesfrommarkup
  createNodesFromMarkup('<div>' + input + '</div', function () {
    handleIt();
  })
}

Short Link: https://sg.run/J9Yj