Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 646bf99

Browse files
erik-krogherik-krogh
committed
rewrite the qhelp to focus more on documenting unsafe functions
1 parent 3fe5dd0 commit 646bf99

1 file changed

Lines changed: 13 additions & 16 deletions

File tree

javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp

Lines changed: 13 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,26 +4,22 @@
44
<qhelp>
55
<overview>
66
<p>
7-
Dynamically constructing HTML with inputs from library functions that are
8-
available to external clients may inadvertently leave a client open to XSS attacks.
9-
10-
Clients using the exported function may use inputs containing unsafe HTML,
11-
and if these inputs end up in the DOM, the client may be vulnerable to
12-
cross-site scripting attacks.
13-
</p>
7+
When a library function dynamically constructs HTML in a potentially unsafe
8+
way, then it's important to document to clients of the library that the function
9+
should only be used with trusted inputs.
1410

11+
If the function is not documented as being potentially unsafe, then a client
12+
may inadvertently use inputs containing unsafe HTML fragments, and thereby leave
13+
the client vulnerable to cross-site scripting attacks.
14+
</p>
1515
</overview>
1616
<recommendation>
1717

1818
<p>
19-
If possible, use safe APIs when inserting HTML into the DOM.
20-
Such as writing to the <code>innerText</code> property instead of <code>innerHTML</code>.
19+
Document all library functions that can lead to cross-site scripting
20+
attacks, and guard against unsafe inputs where dynamic HTML
21+
construction is not intended.
2122
</p>
22-
23-
<p>
24-
Alternatively, use a HTML sanitizer to escape/remove unsafe content.
25-
</p>
26-
2723
</recommendation>
2824
<example>
2925

@@ -41,13 +37,14 @@
4137
</p>
4238

4339
<p>
44-
To avoid such attacks, a program can use safe APIs such as <code>innerText</code>.
40+
The library could either document that this function should not be used
41+
with unsafe inputs, or use safe APIs such as <code>innerText</code>.
4542
</p>
4643

4744
<sample src="examples/unsafe-html-construction_safe.js" />
4845

4946
<p>
50-
Alternatively, use a HTML sanitizer to remove unsafe content.
47+
Alternatively, a HTML sanitizer can be used to remove unsafe content.
5148
</p>
5249

5350
<sample src="examples/unsafe-html-construction_sanitizer.js" />

0 commit comments

Comments
 (0)