javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup
semgrep
Author
4,562
Download Count*
License
User controlled data in a createNodesFromMarkup
is an anti-pattern that can lead to XSS vulnerabilities
Run Locally
Run in CI
Defintion
rules:
- id: insecure-createnodesfrommarkup
message: User controlled data in a `createNodesFromMarkup` is an anti-pattern
that can lead to XSS vulnerabilities
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
category: security
technology:
- fbjs
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-either:
- pattern: createNodesFromMarkup(...)
- pattern: $X.createNodesFromMarkup(...)
- pattern-not: createNodesFromMarkup("...",...)
- pattern-not: $X.createNodesFromMarkup("...",...)
Examples
insecure-createnodesfrommarkup.js
function ok1() {
// ok: insecure-createnodesfrommarkup
createNodesFromMarkup('<div></div', function () {
handleIt();
})
}
function bad1(input) {
// ruleid: insecure-createnodesfrommarkup
createNodesFromMarkup('<div>' + input + '</div', function () {
handleIt();
})
}
Short Link: https://sg.run/J9Yj