ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute

Author
6,305
Download Count*
License
Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "<%= expr %>".
Run Locally
Run in CI
Defintion
rules:
- id: unquoted-attribute
message: 'Detected a unquoted template variable as an attribute. If unquoted, a
malicious actor could inject custom JavaScript handlers. To fix this, add
quotes around the template expression, like this: "<%= expr %>".'
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes
- https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
category: security
technology:
- rails
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
languages:
- generic
paths:
include:
- "*.erb"
severity: WARNING
patterns:
- pattern-inside: <$TAG ...>
- pattern-not-inside: ="..."
- pattern-not-inside: ="<%= ... %>"
- pattern-not-inside: ='...'
- pattern-not-inside: ='<%= ... %>'
- pattern: <%= ... %>
fix-regex:
regex: <%=(.*?)%>
replacement: '"<%=\1%>"'
Examples
unquoted-attribute.erb
<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>
<div class="jumbotron text-center">
<h1 class="display-4">Oi, meu nome é <%= nome %>!</h1>
<p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
<!-- ruleid: unquoted-attribute -->
<a href=<%= link %> class="text-center">Click me</a>
<!-- ruleid: unquoted-attribute -->
<a href=/<%= link %> class="text-center">Click me</a>
<!-- ok: unquoted-attribute -->
<a href="<%= Foo::Bar::FooBar.frobnicate("#{event_id}", @params) %>" class="text-center">Click me</a>
<!-- ok: unquoted-attribute -->
<a href='<%= link %>' class="text-center">Click me</a>
<!-- ok: unquoted-attribute -->
<div class="alert lead alert-<%= key %>"><%= value %> </div>
<!-- ok: unquoted-attribute -->
<a href="#" class="dropdown-toggle" data-toggle="dropdown"> <%= current_user.name.pluralize %> Account <b class="caret"></b></a>
</div>
</html>
Short Link: https://sg.run/PpeN