scala.play.security.twirl-html-var.twirl-html-var
semgrepAuthor
unknown
Download Count*
License
Raw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using Html() or consider properly sanitizing input data.
Run Locally
Run in CI
Defintion
rules:
- id: twirl-html-var
patterns:
- pattern-either:
- pattern: |
@Html($VAL)
- pattern: |
@Html(...$VAL + ...)
- pattern: |
@Html(... + $VAL...)
- metavariable-regex:
metavariable: $VAL
regex: \w*
message: Raw html content controlled by a variable detected. You may be
accidentally bypassing secure methods of rendering HTML by manually
constructing HTML and this could create a cross-site scripting
vulnerability, which could let attackers steal sensitive user data. Try to
avoid using `Html()` or consider properly sanitizing input data.
languages:
- generic
severity: WARNING
paths:
include:
- "*.html"
metadata:
category: security
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://www.playframework.com/documentation/2.8.x/ScalaTemplates#Escaping
technology:
- scala
- play
- twirl
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
Short Link: https://sg.run/DAry