Unsafe HTML constructed from library input¶
ID: rb/html-constructed-from-input Kind: path-problem Security severity: 6.1 Severity: error Precision: high Tags: - security - external/cwe/cwe-079 - external/cwe/cwe-116 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls Click to see the query in the CodeQL repository
When a library function dynamically constructs HTML in a potentially unsafe way, then it’s important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.
Recommendation¶
Document all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.
Example¶
The following example has a library function that renders a boldface name by creating a string containing a <b> with the name embedded in it.
classUsersController<ActionController::Base# BAD - create a user description, where the name is not escapeddefcreate_user_description(name)"<b>#{name}</b>".html_safeendendThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.
The library could either document that this function should not be used with unsafe inputs, or escape the input before embedding it in the HTML fragment.
classUsersController<ActionController::Base# Good - create a user description, where the name is escapeddefcreate_user_description(name)"<b>#{ERB::Util.html_escape(name)}</b>".html_safeendendReferences¶
OWASP DOM Based XSS.
Wikipedia: Cross-site scripting.
Common Weakness Enumeration: CWE-79.
Common Weakness Enumeration: CWE-116.
