python.django.security.audit.xss.template-href-var.template-href-var
semgrep
Author
6,591
Download Count*
License
Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.
Run Locally
Run in CI
Defintion
rules:
- id: template-href-var
message: Detected a template variable used in an anchor tag with the 'href'
attribute. This allows a malicious actor to input the 'javascript:' URI
and is subject to cross- site scripting (XSS) attacks. Use the 'url'
template tag to safely generate a URL. You may also consider setting the
Content Security Policy (CSP) header.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
- https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url
- https://content-security-policy.com/
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
paths:
include:
- "*.html"
severity: WARNING
patterns:
- pattern-inside: <a ...>
- pattern-either:
- pattern: href = '{{...}}'
- pattern: href = "{{...}}"
- pattern: href = {{...}}
Examples
template-href-var.html
<h4>From: {{ from_email }}</h4>
<h4>To:
{% for recipient in recipients %}
{{ recipient }}
{% endfor %}
</h4>
<h4>Subject: {{subject}}</h4>
<div class="email" style="display: block;">
{{ message }}
</div>
<div class="email-text" style="display: none;">
<pre>{{ body }}</pre>
<!-- ruleid: template-href-var -->
<a href='{{ link }}'>{{ link_text }}</a>
<!-- ruleid: template-href-var -->
<a href = '{{ link }}' >{{ link_text }}</a>
<!-- ok: template-href-var -->
<a href="{% url 'login' %}">{{ link_text }}</a>
<!-- ok: template-href-var -->
<a href="https://example.com/">{{ link_text }}</a>
</div>
<hr>
Short Link: https://sg.run/4x25