# Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

- Prevalence: 높음 자주 악용됨
- Impact: 치명적 1개의 치명적 심각도 규칙
- Prevention: 문서화됨 4개의 수정 예시

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

## Prevention

4개의 Shoulder 탐지 규칙을 기반으로 한 Cross-Site Scripting (XSS) 예방 전략.

### JavaScript

Validate content with strict allowlists before using DomSanitizer.bypassSecurityTrust methods

Sanitize user content with DOMPurify before binding to innerHTML, or use text interpolation instead

Use HTML encoding or sanitization libraries before output

### Python

Use template rendering with auto-escaping or html.escape() for manual escaping

## Warning Signs

- [HIGH] Property binding '...' used without explicit sanitization. This may allow XSS if bound to untrusted data.
- [HIGH] user input flowing into HTTP responses without proper encoding or sanitization
- [HIGH] untrusted user input being rendered in HTML responses without proper
escaping
- [CRITICAL] DomSanitizer.... used without proper input validation. This completely disables XSS protection.

## Consequences

- 승인되지 않은 코드 실행
- 보호 메커니즘 우회
- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정

## Mitigations

- 이러한 약점을 허용하지 않는 검증된 라이브러리나 프레임워크를 사용하세요
- 데이터가 사용될 컨텍스트와 기대되는 인코딩을 이해하세요
- 영향을 완화하기 위해 Content Security Policy(CSP)를 사용하세요

## Detection

- Total rules: 4
- Critical: 1
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (3 rules)

- **Angular Unsafe Security Context Bypass** [CRITICAL]: DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection,
enabling script injection when used with any user-controllable data.
  - Remediation: Validate with strict allowlists before using bypassSecurityTrust methods.

```typescript
const ALLOWED_DOMAINS = ['youtube.com', 'vimeo.com'];

embedVideo(urlString: string): SafeResourceUrl | null {
  const url = new URL(urlString);
  if (url.protocol !== 'https:') return null;
  if (!ALLOWED_DOMAINS.some(d => url.hostname.endsWith(d))) return null;
  return this.sanitizer.bypassSecurityTrustResourceUrl(urlString);
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-79/unsafe-pipe
- **Angular Unsafe Property Binding** [HIGH]: Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks
when Angular's sanitizer is bypassed or insufficient.
  - Remediation: Use DOMPurify to sanitize content before binding to innerHTML.

```typescript
import DOMPurify from 'dompurify';

export class UserProfileComponent {
  get sanitizedBio(): string {
    return DOMPurify.sanitize(this.userBio, {
      ALLOWED_TAGS: ['p', 'br', 'strong', 'em'],
      ALLOWED_ATTR: []
    });
  }
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-79/unsafe-property-binding
- **Cross-Site Scripting (XSS) via Response** [HIGH]: Detects user input flowing into HTTP responses without proper encoding or sanitization.
  - Remediation: Use template engines with auto-escaping or sanitize user input before output.

```javascript
const sanitizeHtml = require('sanitize-html');
const clean = sanitizeHtml(userInput);
res.send(`<div>${clean}</div>`);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-79/xss

### Typescript (3 rules)

- **Angular Unsafe Security Context Bypass** [CRITICAL]: DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection,
enabling script injection when used with any user-controllable data.
  - Remediation: Validate with strict allowlists before using bypassSecurityTrust methods.

```typescript
const ALLOWED_DOMAINS = ['youtube.com', 'vimeo.com'];

embedVideo(urlString: string): SafeResourceUrl | null {
  const url = new URL(urlString);
  if (url.protocol !== 'https:') return null;
  if (!ALLOWED_DOMAINS.some(d => url.hostname.endsWith(d))) return null;
  return this.sanitizer.bypassSecurityTrustResourceUrl(urlString);
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-79/unsafe-pipe
- **Angular Unsafe Property Binding** [HIGH]: Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks
when Angular's sanitizer is bypassed or insufficient.
  - Remediation: Use DOMPurify to sanitize content before binding to innerHTML.

```typescript
import DOMPurify from 'dompurify';

export class UserProfileComponent {
  get sanitizedBio(): string {
    return DOMPurify.sanitize(this.userBio, {
      ALLOWED_TAGS: ['p', 'br', 'strong', 'em'],
      ALLOWED_ATTR: []
    });
  }
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-79/unsafe-property-binding
- **Cross-Site Scripting (XSS) via Response** [HIGH]: Detects user input flowing into HTTP responses without proper encoding or sanitization.
  - Remediation: Use template engines with auto-escaping or sanitize user input before output.

```javascript
const sanitizeHtml = require('sanitize-html');
const clean = sanitizeHtml(userInput);
res.send(`<div>${clean}</div>`);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-79/xss

### Python (1 rules)

- **Cross-Site Scripting (XSS) in Templates** [HIGH]: Detects untrusted user input being rendered in HTML responses without proper
escaping.
  - Remediation: Use template rendering with auto-escaping, or escape manually with html.escape().

```python
import html
safe_text = html.escape(user_input)
```

Learn more: https://shoulder.dev/learn/python/cwe-79/xss