python.django.security.audit.xss.template-href-var.template-href-var

profile photo of returntocorpreturntocorp
Author
6,591
Download Count*

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.

Run Locally

Run in CI

Defintion

rules:
  - id: template-href-var
    message: Detected a template variable used in an anchor tag with the 'href'
      attribute. This allows a malicious actor to input the 'javascript:' URI
      and is subject to cross- site scripting (XSS) attacks. Use the 'url'
      template tag to safely generate a URL. You may also consider setting the
      Content Security Policy (CSP) header.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
        - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url
        - https://content-security-policy.com/
      category: security
      technology:
        - django
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    paths:
      include:
        - "*.html"
    severity: WARNING
    patterns:
      - pattern-inside: <a ...>
      - pattern-either:
          - pattern: href = '{{...}}'
          - pattern: href = "{{...}}"
          - pattern: href = {{...}}

Examples

template-href-var.html

<h4>From: {{ from_email }}</h4>
<h4>To:
    {% for recipient in recipients %}
    {{ recipient }}&nbsp;
    {% endfor %}
</h4>
<h4>Subject: {{subject}}</h4>
<div class="email" style="display: block;">
    {{ message }}
</div>
<div class="email-text" style="display: none;">
    <pre>{{ body }}</pre>
    <!-- ruleid: template-href-var -->
    <a href='{{ link }}'>{{ link_text }}</a>
    <!-- ruleid: template-href-var -->
    <a href =  '{{ link }}' >{{ link_text }}</a>
    <!-- ok: template-href-var -->
    <a href="{% url 'login' %}">{{ link_text }}</a>
    <!-- ok: template-href-var -->
    <a href="https://example.com/">{{ link_text }}</a>
</div>
<hr>