Cross-site Scripting (XSS) due to improper neutralization of input during web page generation
Description
This application is rendering HTML with vulnerable configurations by setting Sqrl.autoEscaping(false) in squirrelly, which could lead to Cross Site Scripting (XSS) if the input is malicious script code and the application server is not properly validating the output.
Examples
Insecure Code
javascript
var Sqrl = require('squirrelly'); Sqrl.autoEscaping(false);Secure Code
javascript
var Sqrl = require('squirrelly'); // autoEscaping is true by defaultRemediation
Consider using squirrelly with default autoEscaping settings, which escapes input values to prevent XSS attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0430 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cross-site Scripting |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |