org.sonar.education.2codeSnippets.html Maven / Gradle / Ivy
This is an example of an attempt to run some code on our
Cross-site scripting (XSS) attack
Assistive technologies, such as screen readers, use <th> headers to provide
some context when users navigates a table. Without it the user gets rapidly lost in the flow of
data.
Headers should be properly associated with the corresponding <td> cells by
using either a scope attribute or headers and
id attributes. See W3C WAI Web Accessibility Tutorials for more information.
This rule raises an issue whenever a <table> does not contain
any <th> elements.
Moreover in this example, we attempted a Cross-site scripting attack by adding a script tag and
adding a onload property to the pre tag. The code being sanitized before being injected in the DOM
prevents us from being vulnerable.
Noncompliant Code Example
<table> <!-- Noncompliant -->
<tr>
<td>Name</td>
<td>Age</td>
</tr>
<tr>
<td>John Doe</td>
<td>24</td>
</tr>
<tr>
<td>Alice Doe</td>
<td>54</td>
</tr>
</table>
Compliant Solution
<table>
<tr>
<th scope="col">Name</th>
<th scope="col">Age</th>
</tr>
<tr>
<td>John Doe</td>
<td>24</td>
</tr>
<tr>
<td>Alice Doe</td>
<td>54</td>
</tr>
</table>
<script>
alert('nevermind, you good..');
</script>