Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
普遍性
高
频繁被利用
影响
关键
1 条严重级别为关键的规则
预防
已记录
4 个修复示例
2 预防
2 预防
如何修复此漏洞
基于 4 条 Shoulder 检测规则的 Cross-Site Scripting (XSS) 预防策略。
JavaScript
查看全部 JavaScript 详情 →
Angular Unsafe Security Context Bypass
CRITICAL
Validate content with strict allowlists before using DomSanitizer.bypassSecurityTrust methods
import { Pipe, PipeTransform } from '@angular/core'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; - - @Pipe({ name: 'safeHtml' }) - export class SafeHtmlPipe implements PipeTransform { - constructor(private sanitizer: DomSanitizer) {} - - transform(value: string): SafeHtml { - return this.sanitizer.bypassSecurityTrustHtml(value); - } - } - - // In template: <div [innerHTML]="userComment | safeHtml"></div> + import DOMPurify from 'dompurify'; + + @Pipe({ name: 'safeHtml' }) + export class SafeHtmlPipe implements PipeTransform { + constructor(private sanitizer: DomSanitizer) {} + + transform(value: string): SafeHtml { + const clean = DOMPurify.sanitize(value, { + ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'a'], + ALLOWED_ATTR: ['href'], + }); + return this.sanitizer.bypassSecurityTrustHtml(clean); + } + }
Angular Unsafe Property Binding
HIGH
Sanitize user content with DOMPurify before binding to innerHTML, or use text interpolation instead
import { Component, Input } from '@angular/core'; - - @Component({ - selector: 'app-comment', - template: ` - <div [innerHTML]="comment.body"></div> - <img [src]="comment.avatarUrl"> - <a [href]="comment.profileLink">Profile</a> - ` - }) - export class CommentComponent { - @Input() comment: any; + import DOMPurify from 'dompurify'; + + @Component({ + selector: 'app-comment', + template: ` + <div [innerHTML]="sanitizedBody"></div> + <img [src]="safeAvatarUrl"> + <a [href]="safeProfileLink">Profile</a> + ` + }) + export class CommentComponent { + @Input() comment: any; + + get sanitizedBody(): string { + return DOMPurify.sanitize(this.comment.body, { + ALLOWED_TAGS: ['p', 'br', 'strong', 'em'], + }); + } + + get safeAvatarUrl(): string { + const url = new URL(this.comment.avatarUrl); + return url.protocol === 'https:' ? url.href : '/default-avatar.png'; + } + + get safeProfileLink(): string { + const url = new URL(this.comment.profileLink); + return url.protocol === 'https:' ? url.href : '#'; + } }
Cross-Site Scripting (XSS) via Response
HIGH
Use HTML encoding or sanitization libraries before output
const http = require('http'); const url = require('url'); - - http.createServer((req, res) => { - const name = url.parse(req.url, true).query.name; - // Vulnerable: user input directly in HTML - res.writeHead(200, { 'Content-Type': 'text/html' }); - res.end(`<h1>Hello ${name}</h1>`); + const he = require('he'); // HTML entity encoder + + http.createServer((req, res) => { + const name = url.parse(req.url, true).query.name; + // Safe: HTML-encode user input + const safeName = he.encode(name || ''); + res.writeHead(200, { 'Content-Type': 'text/html' }); + res.end(`<h1>Hello ${safeName}</h1>`); }).listen(3000);
Python
查看全部 Python 详情 →
Cross-Site Scripting (XSS) in Templates
HIGH
Use template rendering with auto-escaping or html.escape() for manual escaping
- from flask import request, make_response - - @app.route('/greet') - def greet(): - name = request.args.get('name') - return make_response(f'<h1>Hello {name}</h1>') + import html + from flask import request, render_template + + @app.route('/greet') + def greet(): + name = request.args.get('name') + return render_template('greet.html', name=name)
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')模式。 4 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=79 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (4)
🟨
Javascript
3 rules
Angular Unsafe Security Context Bypass
CRITICAL
DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection,
enabling script injection when used with any user-controllable data.
Angular Unsafe Property Binding
HIGH
Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks
when Angular's sanitizer is bypassed or insufficient.
Cross-Site Scripting (XSS) via Response
HIGH
Detects user input flowing into HTTP responses without proper encoding or sanitization.
🔷
Typescript
3 rules
Angular Unsafe Security Context Bypass
CRITICAL
DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection,
enabling script injection when used with any user-controllable data.
Angular Unsafe Property Binding
HIGH
Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks
when Angular's sanitizer is bypassed or insufficient.
Cross-Site Scripting (XSS) via Response
HIGH
Detects user input flowing into HTTP responses without proper encoding or sanitization.
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')漏洞。在代码审查和安全审计中注意查找。
Property binding '...' used without explicit sanitization. This may allow XSS if bound to untrusted data.
angular-unsafe-property-binding
user input flowing into HTTP responses without proper encoding or sanitization
javascript-xss
untrusted user input being rendered in HTML responses without proper
escaping
python-xss
DomSanitizer.... used without proper input validation. This completely disables XSS protection.
angular-unsafe-pipe
扫描你的代码库: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Shoulder CLI 在整个代码库中找到易受攻击的模式。