Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
This rule checks if HTML escaping is globally disabled for JSON output, which can lead to Cross-Site Scripting (XSS) vulnerabilities. XSS attacks allow attackers to inject malicious scripts into web pages viewed by other users, compromising the integrity and confidentiality of user data. When HTML escaping is disabled, special HTML characters in JSON output are not converted to their entity equivalents, making it possible for an attacker to inject executable scripts into the web application's output.
Examples
Insecure Code
ruby
ActiveSupport.escape_html_entities_in_json = false
config.active_support.escape_html_entities_in_json = falseSecure Code
ruby
ActiveSupport.escape_html_entities_in_json = true
config.active_support.escape_html_entities_in_json = trueRemediation
Enable HTML entity escaping in JSON to prevent XSS by setting `ActiveSupport.escape_html_entities_in_json` or `config.active_support.escape_html_entities_in_json` to `true`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0528 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, json, html-escaping |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |
References
- https://owasp.org/Top10/A03_2021-Injection
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/json-entity-escape.yaml