javascript.jquery.security.audit.prohibit-jquery-html.prohibit-jquery-html
semgrep
Author
3,426
Download Count*
License
JQuery's html
function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider text
instead. Otherwise, use a function that escapes HTML such as edX's HtmlUtils.setHtml()
.
Run Locally
Run in CI
Defintion
rules:
- id: prohibit-jquery-html
message: JQuery's `html` function is susceptible to Cross Site Scripting (XSS)
attacks. If you're just passing text, consider `text` instead. Otherwise,
use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.
metadata:
shortDesription: Use of JQuery's unsafe html() function.
help: >
## Remediation
Avoid using JQuery's html() function. If the string is plain text, use the text() function instead.
Otherwise, use a function that escapes html such as edx's HtmlUtils.setHtml().
tags:
- security
precision: high
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
references:
- https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#javascript-concat-html
- https://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks
- https://api.jquery.com/text/#text-text
category: security
technology:
- jquery
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern: |
$X.html(...)
- pattern-not: |
$X.html("...",...)
Examples
prohibit-jquery-html.js
function bad1(input) {
// ruleid:prohibit-jquery-html
$( "button.continue" ).html( input );
}
function bad2() {
$.ajax({
url: "/api/getWeather",
data: {
zipcode: 97201
},
success: function( result ) {
// ruleid:prohibit-jquery-html
$( "#weather-temp" ).html( "<strong>" + result + "</strong> degrees" );
}
});
}
function ok1() {
// ok: prohibit-jquery-html
$( "button.continue" ).text( "Next Step..." );
}
function ok2() {
$.ajax({
url: "/api/getWeather",
data: {
zipcode: 97201
},
success: function( result ) {
// ok: prohibit-jquery-html
HtmlUtils.setHtml( "<strong>" + result + "</strong> degrees" );
}
});
}
function ok3() {
// ok: prohibit-jquery-html
$('.js-piechart-container').html('<canvas class="js-pie-chart" style="width:100%;height:300px;"></canvas>')
}
Short Link: https://sg.run/0Q9B