codeql/python/ql/src/Security/CWE-079/ReflectedXss.qhelp at 243280dc0094409deecc4e2f4886e1f92cf0e82d · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
<p>
Directly writing user input (for example, an HTTP request parameter) to a webpage
without properly sanitizing the input first, allows for a cross-site scripting vulnerability.
</p>
</overview>

<recommendation>
<p>
To guard against cross-site scripting, consider escaping the input before writing user input to the page.
The standard library provides escaping functions: <code>html.escape()</code> for Python 3.2 upwards
or <code>cgi.escape()</code> older versions of Python.
Most frameworks also provide their own escaping functions, for example <code>flask.escape()</code>.
</p>
</recommendation>

<example>
<p>
The following example is a minimal flask app which shows a safe and unsafe way to render the given name back to the page.
The first view is unsafe as <code>first_name</code> is not escaped, leaving the page vulnerable to cross-site scripting attacks.
The second view is safe as <code>first_name</code> is escaped, so it is not vulnerable to cross-site scripting attacks.
</p>
<sample src="examples/xss.py" />
</example>

<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
(Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
<li>
Python Library Reference:
<a href="https://docs.python.org/3/library/html.html#html.escape">html.escape()</a>.
</li>
</references>
</qhelp>