ベータ Shoulder はベータ版です — 結果が誤っている場合があります。皆さまのフィードバックが次に修正する内容を決定します。 フィードバックを送る
Shoulder.dev

開発者向け脅威インテリジェンス
🌐

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

🛡️ 4 件のルールが検出します

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

普及度
頻繁に悪用される
影響度
クリティカル
1 件の重大度クリティカルなルール
予防
文書化済み
4 件の修正例
2 予防
2 予防

この脆弱性の修正方法

4 件の Shoulder 検出ルールに基づく Cross-Site Scripting (XSS) の予防策。

🟨 JavaScript すべて表示 JavaScript 詳細 →
Angular Unsafe Security Context Bypass CRITICAL

Validate content with strict allowlists before using DomSanitizer.bypassSecurityTrust methods

+14 -11 javascript 
  import { Pipe, PipeTransform } from '@angular/core';
  import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
- 
- @Pipe({ name: 'safeHtml' })
- export class SafeHtmlPipe implements PipeTransform {
-   constructor(private sanitizer: DomSanitizer) {}
- 
-   transform(value: string): SafeHtml {
-     return this.sanitizer.bypassSecurityTrustHtml(value);
-   }
- }
- 
- // In template: <div [innerHTML]="userComment | safeHtml"></div>
+ import DOMPurify from 'dompurify';
+ 
+ @Pipe({ name: 'safeHtml' })
+ export class SafeHtmlPipe implements PipeTransform {
+   constructor(private sanitizer: DomSanitizer) {}
+ 
+   transform(value: string): SafeHtml {
+     const clean = DOMPurify.sanitize(value, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'a'],
+       ALLOWED_ATTR: ['href'],
+     });
+     return this.sanitizer.bypassSecurityTrustHtml(clean);
+   }
+ }
Angular Unsafe Property Binding HIGH

Sanitize user content with DOMPurify before binding to innerHTML, or use text interpolation instead

+28 -11 javascript 
  import { Component, Input } from '@angular/core';
- 
- @Component({
-   selector: 'app-comment',
-   template: `
-     <div [innerHTML]="comment.body"></div>
-     <img [src]="comment.avatarUrl">
-     <a [href]="comment.profileLink">Profile</a>
-   `
- })
- export class CommentComponent {
-   @Input() comment: any;
+ import DOMPurify from 'dompurify';
+ 
+ @Component({
+   selector: 'app-comment',
+   template: `
+     <div [innerHTML]="sanitizedBody"></div>
+     <img [src]="safeAvatarUrl">
+     <a [href]="safeProfileLink">Profile</a>
+   `
+ })
+ export class CommentComponent {
+   @Input() comment: any;
+ 
+   get sanitizedBody(): string {
+     return DOMPurify.sanitize(this.comment.body, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em'],
+     });
+   }
+ 
+   get safeAvatarUrl(): string {
+     const url = new URL(this.comment.avatarUrl);
+     return url.protocol === 'https:' ? url.href : '/default-avatar.png';
+   }
+ 
+   get safeProfileLink(): string {
+     const url = new URL(this.comment.profileLink);
+     return url.protocol === 'https:' ? url.href : '#';
+   }
  }
Cross-Site Scripting (XSS) via Response HIGH

Use HTML encoding or sanitization libraries before output

+8 -6 javascript 
  const http = require('http');
  const url = require('url');
- 
- http.createServer((req, res) => {
-   const name = url.parse(req.url, true).query.name;
-   // Vulnerable: user input directly in HTML
-   res.writeHead(200, { 'Content-Type': 'text/html' });
-   res.end(`<h1>Hello ${name}</h1>`);
+ const he = require('he');  // HTML entity encoder
+ 
+ http.createServer((req, res) => {
+   const name = url.parse(req.url, true).query.name;
+   // Safe: HTML-encode user input
+   const safeName = he.encode(name || '');
+   res.writeHead(200, { 'Content-Type': 'text/html' });
+   res.end(`<h1>Hello ${safeName}</h1>`);
  }).listen(3000);
🐍 Python すべて表示 Python 詳細 →
Cross-Site Scripting (XSS) in Templates HIGH

Use template rendering with auto-escaping or html.escape() for manual escaping

+7 -6 python 
- from flask import request, make_response
- 
- @app.route('/greet')
- def greet():
-     name = request.args.get('name')
-     return make_response(f'<h1>Hello {name}</h1>')
+ import html
+ from flask import request, render_template
+ 
+ @app.route('/greet')
+ def greet():
+     name = request.args.get('name')
+     return render_template('greet.html', name=name)
3 検出
3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')パターンをスキャンしましょう。 4 ルール.

ターミナル
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=79

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (4)

4 警告サイン
4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')の潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠
Property binding '...' used without explicit sanitization. This may allow XSS if bound to untrusted data. angular-unsafe-property-binding
🟠
user input flowing into HTTP responses without proper encoding or sanitization javascript-xss
🟠
untrusted user input being rendered in HTML responses without proper escaping python-xss
🔴
DomSanitizer.... used without proper input validation. This completely disables XSS protection. angular-unsafe-pipe
🔍

コードベースをスキャン: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示