Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Verbreitung

Hoch

Häufig ausgenutzt

Auswirkung

Kritisch

1 Regeln mit kritischem Schweregrad

Prävention

Dokumentiert

4 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Cross-Site Scripting (XSS) basierend auf 4 Shoulder-Erkennungsregeln.

🟨 JavaScript Alle anzeigen JavaScript Details →

Angular Unsafe Security Context Bypass CRITICAL

Validate content with strict allowlists before using DomSanitizer.bypassSecurityTrust methods

+14 -11 javascript

  import { Pipe, PipeTransform } from '@angular/core';
  import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
- 
- @Pipe({ name: 'safeHtml' })
- export class SafeHtmlPipe implements PipeTransform {
-   constructor(private sanitizer: DomSanitizer) {}
- 
-   transform(value: string): SafeHtml {
-     return this.sanitizer.bypassSecurityTrustHtml(value);
-   }
- }
- 
- // In template: <div [innerHTML]="userComment | safeHtml"></div>
+ import DOMPurify from 'dompurify';
+ 
+ @Pipe({ name: 'safeHtml' })
+ export class SafeHtmlPipe implements PipeTransform {
+   constructor(private sanitizer: DomSanitizer) {}
+ 
+   transform(value: string): SafeHtml {
+     const clean = DOMPurify.sanitize(value, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'a'],
+       ALLOWED_ATTR: ['href'],
+     });
+     return this.sanitizer.bypassSecurityTrustHtml(clean);
+   }
+ }

Angular Unsafe Property Binding HIGH

Sanitize user content with DOMPurify before binding to innerHTML, or use text interpolation instead

+28 -11 javascript

  import { Component, Input } from '@angular/core';
- 
- @Component({
-   selector: 'app-comment',
-   template: `
-     <div [innerHTML]="comment.body"></div>
-     <img [src]="comment.avatarUrl">
-     <a [href]="comment.profileLink">Profile</a>
-   `
- })
- export class CommentComponent {
-   @Input() comment: any;
+ import DOMPurify from 'dompurify';
+ 
+ @Component({
+   selector: 'app-comment',
+   template: `
+     <div [innerHTML]="sanitizedBody"></div>
+     <img [src]="safeAvatarUrl">
+     <a [href]="safeProfileLink">Profile</a>
+   `
+ })
+ export class CommentComponent {
+   @Input() comment: any;
+ 
+   get sanitizedBody(): string {
+     return DOMPurify.sanitize(this.comment.body, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em'],
+     });
+   }
+ 
+   get safeAvatarUrl(): string {
+     const url = new URL(this.comment.avatarUrl);
+     return url.protocol === 'https:' ? url.href : '/default-avatar.png';
+   }
+ 
+   get safeProfileLink(): string {
+     const url = new URL(this.comment.profileLink);
+     return url.protocol === 'https:' ? url.href : '#';
+   }
  }

Cross-Site Scripting (XSS) via Response HIGH

Use HTML encoding or sanitization libraries before output

+8 -6 javascript

  const http = require('http');
  const url = require('url');
- 
- http.createServer((req, res) => {
-   const name = url.parse(req.url, true).query.name;
-   // Vulnerable: user input directly in HTML
-   res.writeHead(200, { 'Content-Type': 'text/html' });
-   res.end(`<h1>Hello ${name}</h1>`);
+ const he = require('he');  // HTML entity encoder
+ 
+ http.createServer((req, res) => {
+   const name = url.parse(req.url, true).query.name;
+   // Safe: HTML-encode user input
+   const safeName = he.encode(name || '');
+   res.writeHead(200, { 'Content-Type': 'text/html' });
+   res.end(`<h1>Hello ${safeName}</h1>`);
  }).listen(3000);

🐍 Python Alle anzeigen Python Details →

Cross-Site Scripting (XSS) in Templates HIGH

Use template rendering with auto-escaping or html.escape() for manual escaping

+7 -6 python

- from flask import request, make_response
- 
- @app.route('/greet')
- def greet():
-     name = request.args.get('name')
-     return make_response(f'<h1>Hello {name}</h1>')
+ import html
+ from flask import request, render_template
+ 
+ @app.route('/greet')
+ def greet():
+     name = request.args.get('name')
+     return render_template('greet.html', name=name)

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')-Mustern zu scannen. 4 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=79

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (4)

🟨 Javascript 3 rules

Angular Unsafe Security Context Bypass CRITICAL

DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection, enabling script injection when used with any user-controllable data.

Angular Unsafe Property Binding HIGH

Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks when Angular's sanitizer is bypassed or insufficient.

Cross-Site Scripting (XSS) via Response HIGH

Detects user input flowing into HTTP responses without proper encoding or sanitization.

🔷 Typescript 3 rules

Angular Unsafe Security Context Bypass CRITICAL

DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection, enabling script injection when used with any user-controllable data.

Angular Unsafe Property Binding HIGH

Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks when Angular's sanitizer is bypassed or insufficient.

Cross-Site Scripting (XSS) via Response HIGH

Detects user input flowing into HTTP responses without proper encoding or sanitization.

🐍 Python 1 rules

Cross-Site Scripting (XSS) in Templates HIGH

Detects untrusted user input being rendered in HTML responses without proper escaping.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

Property binding '...' used without explicit sanitization. This may allow XSS if bound to untrusted data. angular-unsafe-property-binding

🟠

user input flowing into HTTP responses without proper encoding or sanitization javascript-xss

🟠

untrusted user input being rendered in HTML responses without proper escaping python-xss

🔴

DomSanitizer.... used without proper input validation. This completely disables XSS protection. angular-unsafe-pipe

🔍

Scanne deine Codebasis nach Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen