|
1 | 1 | <!DOCTYPE qhelp PUBLIC |
2 | | - "-//Semmle//qhelp//EN" |
3 | | - "qhelp.dtd"> |
| 2 | + "-//Semmle//qhelp//EN" |
| 3 | + "qhelp.dtd"> |
4 | 4 | <qhelp> |
5 | 5 |
|
6 | | -<overview> |
7 | | -<p> |
8 | | -Directly writing user input (for example, an HTTP request parameter) to a webpage |
9 | | -without properly sanitizing the input first, allows for a cross-site scripting |
10 | | -vulnerability. |
11 | | -</p> |
12 | | -</overview> |
| 6 | + <overview> |
| 7 | + <p> |
| 8 | + Directly writing user input (for example, an HTTP request parameter) to a webpage |
| 9 | + without properly sanitizing the input first, allows for a cross-site scripting |
| 10 | + vulnerability. |
| 11 | + </p> |
| 12 | + </overview> |
13 | 13 |
|
14 | | -<recommendation> |
15 | | -<p> |
16 | | -To guard against cross-site scripting, consider escaping the input before |
17 | | -writing user input to the page. In some frameworks, such as Rails, escaping will |
18 | | -be performed implicitly and by default. |
19 | | -</p> |
20 | | -</recommendation> |
| 14 | + <recommendation> |
| 15 | + <p> |
| 16 | + To guard against cross-site scripting, consider escaping the input before |
| 17 | + writing user input to the page. In some frameworks, such as Rails, escaping will |
| 18 | + be performed implicitly and by default. |
| 19 | + </p> |
21 | 20 |
|
22 | | -<example> |
23 | | -<p> |
24 | | -For instance, the following example is safe because the |
25 | | -<code>params[:user_name]</code> content within the output tags will be |
26 | | -automatically HTML escaped before being output. |
27 | | -</p> |
28 | | -<sample src="examples/safe.html.erb" /> |
29 | | -</example> |
| 21 | + <p> |
| 22 | + Care should be taken when using methods such as <code>html_safe</code> or |
| 23 | + <code>raw</code>. These methods can be used to output a string without escaping |
| 24 | + it. As such, they should only be used when the string has already been manually |
| 25 | + escaped (for example, with the Rails <code>html_escape</code> method), or when |
| 26 | + the content is otherwise guaranteed to be safe (such as a hard-coded string). |
| 27 | + </p> |
| 28 | + </recommendation> |
30 | 29 |
|
31 | | -<recommendation> |
32 | | -<p> |
33 | | -Care should be taken when using methods such as <code>html_safe</code> or |
34 | | -<code>raw</code>. These methods can be used to output a string without escaping |
35 | | -it. As such, they should only be used when the string has already been manually |
36 | | -escaped (for example, with the Rails <code>html_escape</code> method), or when |
37 | | -the content is otherwise guaranteed to be safe (such as a hard-coded string). |
38 | | -</p> |
39 | | -</recommendation> |
| 30 | + <example> |
| 31 | + <p> |
| 32 | + In the following example is safe because the |
| 33 | + <code>params[:user_name]</code> content within the output tags will be |
| 34 | + automatically HTML escaped before being output. |
| 35 | + </p> |
| 36 | + <sample src="examples/safe.html.erb" /> |
40 | 37 |
|
41 | | -<example> |
42 | | -<p> |
43 | | -The following example is unsafe because user-controlled input is output without |
44 | | -escaping due to being marked as <code>html_safe</code>. |
45 | | -</p> |
46 | | -<sample src="examples/reflective_xss.html.erb" /> |
47 | | -</example> |
| 38 | + <p> |
| 39 | + However, the following example is unsafe because user-controlled input is |
| 40 | + output without escaping due to being marked as <code>html_safe</code>. |
| 41 | + </p> |
| 42 | + <sample src="examples/reflective_xss.html.erb" /> |
| 43 | + </example> |
48 | 44 |
|
49 | | -<references> |
50 | | -<li> |
51 | | -OWASP: |
52 | | -<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS |
53 | | -Ruby on Rails Cheatsheet</a>. |
54 | | -</li> |
55 | | -<li> |
56 | | -Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>. |
57 | | -</li> |
58 | | -</references> |
| 45 | + <references> |
| 46 | + <li> |
| 47 | + OWASP: |
| 48 | + <a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS |
| 49 | + Ruby on Rails Cheatsheet</a>. |
| 50 | + </li> |
| 51 | + <li> |
| 52 | + Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>. |
| 53 | + </li> |
| 54 | + </references> |
59 | 55 | </qhelp> |
0 commit comments