베타 Shoulder는 베타 버전입니다 — 결과가 가끔 잘못될 수 있습니다. 여러분의 피드백이 다음에 무엇을 고칠지 결정합니다. 피드백 공유
🌐

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

🛡️ 4 개의 규칙이 이를 탐지합니다

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

보급률
높음
자주 악용됨
영향
치명적
1개의 치명적 심각도 규칙
예방
문서화됨
4개의 수정 예시
2 예방
2 예방

이 취약점을 수정하는 방법

4개의 Shoulder 탐지 규칙을 기반으로 한 Cross-Site Scripting (XSS) 예방 전략.

Angular Unsafe Security Context Bypass CRITICAL

Validate content with strict allowlists before using DomSanitizer.bypassSecurityTrust methods

+14 -11 javascript
  import { Pipe, PipeTransform } from '@angular/core';
  import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
- 
- @Pipe({ name: 'safeHtml' })
- export class SafeHtmlPipe implements PipeTransform {
-   constructor(private sanitizer: DomSanitizer) {}
- 
-   transform(value: string): SafeHtml {
-     return this.sanitizer.bypassSecurityTrustHtml(value);
-   }
- }
- 
- // In template: <div [innerHTML]="userComment | safeHtml"></div>
+ import DOMPurify from 'dompurify';
+ 
+ @Pipe({ name: 'safeHtml' })
+ export class SafeHtmlPipe implements PipeTransform {
+   constructor(private sanitizer: DomSanitizer) {}
+ 
+   transform(value: string): SafeHtml {
+     const clean = DOMPurify.sanitize(value, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'a'],
+       ALLOWED_ATTR: ['href'],
+     });
+     return this.sanitizer.bypassSecurityTrustHtml(clean);
+   }
+ }
  
Angular Unsafe Property Binding HIGH

Sanitize user content with DOMPurify before binding to innerHTML, or use text interpolation instead

+28 -11 javascript
  import { Component, Input } from '@angular/core';
- 
- @Component({
-   selector: 'app-comment',
-   template: `
-     <div [innerHTML]="comment.body"></div>
-     <img [src]="comment.avatarUrl">
-     <a [href]="comment.profileLink">Profile</a>
-   `
- })
- export class CommentComponent {
-   @Input() comment: any;
+ import DOMPurify from 'dompurify';
+ 
+ @Component({
+   selector: 'app-comment',
+   template: `
+     <div [innerHTML]="sanitizedBody"></div>
+     <img [src]="safeAvatarUrl">
+     <a [href]="safeProfileLink">Profile</a>
+   `
+ })
+ export class CommentComponent {
+   @Input() comment: any;
+ 
+   get sanitizedBody(): string {
+     return DOMPurify.sanitize(this.comment.body, {
+       ALLOWED_TAGS: ['p', 'br', 'strong', 'em'],
+     });
+   }
+ 
+   get safeAvatarUrl(): string {
+     const url = new URL(this.comment.avatarUrl);
+     return url.protocol === 'https:' ? url.href : '/default-avatar.png';
+   }
+ 
+   get safeProfileLink(): string {
+     const url = new URL(this.comment.profileLink);
+     return url.protocol === 'https:' ? url.href : '#';
+   }
  }
  
Cross-Site Scripting (XSS) via Response HIGH

Use HTML encoding or sanitization libraries before output

+8 -6 javascript
  const http = require('http');
  const url = require('url');
- 
- http.createServer((req, res) => {
-   const name = url.parse(req.url, true).query.name;
-   // Vulnerable: user input directly in HTML
-   res.writeHead(200, { 'Content-Type': 'text/html' });
-   res.end(`<h1>Hello ${name}</h1>`);
+ const he = require('he');  // HTML entity encoder
+ 
+ http.createServer((req, res) => {
+   const name = url.parse(req.url, true).query.name;
+   // Safe: HTML-encode user input
+   const safeName = he.encode(name || '');
+   res.writeHead(200, { 'Content-Type': 'text/html' });
+   res.end(`<h1>Hello ${safeName}</h1>`);
  }).listen(3000);
  
Cross-Site Scripting (XSS) in Templates HIGH

Use template rendering with auto-escaping or html.escape() for manual escaping

+7 -6 python
- from flask import request, make_response
- 
- @app.route('/greet')
- def greet():
-     name = request.args.get('name')
-     return make_response(f'<h1>Hello {name}</h1>')
+ import html
+ from flask import request, render_template
+ 
+ @app.route('/greet')
+ def greet():
+     name = request.args.get('name')
+     return render_template('greet.html', name=name)
  
3 탐지
3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 패턴을 스캔하세요. 4 규칙.

터미널
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=79

# Or scan entire project
npx @shoulderdev/cli trust .
4 경고 신호
4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠
Property binding '...' used without explicit sanitization. This may allow XSS if bound to untrusted data. angular-unsafe-property-binding
🟠
user input flowing into HTTP responses without proper encoding or sanitization javascript-xss
🟠
untrusted user input being rendered in HTML responses without proper escaping python-xss
🔴
DomSanitizer.... used without proper input validation. This completely disables XSS protection. angular-unsafe-pipe
🔍

코드베이스를 스캔하세요: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.