org.sonar.l10n.py.rules.python.S5439.html Maven / Gradle / Ivy
This rule is deprecated; use {rule:python:S5247} instead.
Why is this an issue?
Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS)
vulnerabilities.
By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally
disabled.
Escaping HTML from template variables prevents switching into any execution context, like <script>
. Disabling autoescaping
forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to
manually disable escaping when needed.
A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user’s web
browser. The most severe XSS attacks involve:
- Forced redirection
- Modify presentation of content
- User accounts takeover after disclosure of sensitive information like session cookies or passwords
This rule supports the following libraries:
Noncompliant code example
from jinja2 import Environment
env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant
Compliant solution
from jinja2 import Environment
env = Environment(autoescape=True) # Compliant
Resources
- OWASP Cheat
Sheet - XSS Prevention Cheat Sheet
- OWASP - Top 10 2017 Category A7 - Cross-Site Scripting
(XSS)
- OWASP - Top 10 2017 Category A6 - Security
Misconfiguration
- CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting')
- CWE - CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic
XSS)
- CWE - CWE-81 - Improper Neutralization of Script in an Error Message Web Page
- CWE - CWE-82 - Improper Neutralization of Script in Attributes of IMG Tags in a Web
Page
- CWE - CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
- CWE - CWE-84 - Improper Neutralization of Encoded URI Schemes in a Web Page
- CWE - CWE-85 - Doubled Character XSS Manipulations
- CWE - CWE-86 - Improper Neutralization of Invalid Characters in Identifiers in Web
Pages
- CWE - CWE-87 - Improper Neutralization of Alternate XSS Syntax