javascript.jquery.security.audit.prohibit-jquery-html.prohibit-jquery-html

rules:
  - id: prohibit-jquery-html
    message: JQuery's `html` function is susceptible to Cross Site Scripting (XSS)
      attacks. If you're just passing text, consider `text` instead. Otherwise,
      use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.
    metadata:
      shortDesription: Use of JQuery's unsafe html() function.
      help: >
        ## Remediation

        Avoid using JQuery's html() function. If the string is plain text, use the text() function instead.

        Otherwise, use a function that escapes html such as edx's HtmlUtils.setHtml().
      tags:
        - security
      precision: high
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      references:
        - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#javascript-concat-html
        - https://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks
        - https://api.jquery.com/text/#text-text
      category: security
      technology:
        - jquery
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern: |
          $X.html(...)
      - pattern-not: |
          $X.html("...",...)