ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag

profile photo of semgrepsemgrep
Author
6,305
Download Count*
LGPL Commons Clause
License

'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid-content-tag
    metadata:
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_content_tag.rb
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown
        - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/
      category: security
      technology:
        - rails
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    message: "'content_tag()' bypasses HTML escaping for some portion of the
      content. If external data can reach here, this exposes your application to
      cross-site scripting (XSS) attacks. Ensure no external data reaches here.
      If you must do this, create your HTML manually and use 'html_safe'. Ensure
      no external data enters the HTML-safe string!"
    languages:
      - ruby
    severity: WARNING
    pattern: content_tag(...)

Examples

avoid-content-tag.rb

# cf. https://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag

# ruleid: avoid-content-tag
content_tag(:p, "Hello world!")
 # => <p>Hello world!</p>

# ruleid: avoid-content-tag
content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
 # => <div class="strong"><p>Hello world!</p></div>

# ruleid: avoid-content-tag
content_tag(:div, "Hello world!", class: ["strong", "highlight"])
 # => <div class="strong highlight">Hello world!</div>

# ruleid: avoid-content-tag
content_tag("select", options, multiple: true)
 # => <select multiple="multiple">...options...</select>

# cf. https://stackoverflow.com/a/4205709
module InputHelper
  def editable_input(label,name)
    # ruleid: avoid-content-tag
    content_tag :div, :class => "field" do
      # ruleid: avoid-content-tag
      content_tag(:label,label) + # Note the + in this line
      text_field_tag(name,'', :class => 'medium new_value')
    end
  end
end