Insecure Processing of Data
This category covers the following issues:
Cross-Site Scripting (XSS)
Why is this important?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.
Check out this video for a high-level explanation:
Fixing Cross-Site Scripting
Option A: Perform output encoding
- Go through the issues that GuardRails identified in the PR.
- Look for patterns like this:
def index(conn, %{"dangerous" => dangerous}) do
put_resp_content_type(conn, "text/html")
|> send_resp(200, dangerous)
end
or:
def index(conn, %{"dangerous" => dangerous}) do
html conn, "<h1>\#{dangerous}</h1>"
end
or:
<%= raw(@dangerous_user_input) %>
# This bypasses the in-built escaping and has to be used with care. Ensure that the
# content is not coming from request parameters, and is a safe hard-coded string.
- And use safe alternatives like:
def index(conn, %{"dangerous" => dangerous}) do
put_resp_content_type(conn, "text/plain")
|> send_resp(200, dangerous)
end
or use a function URI.decode to encode dangerous characters :
def index(conn, %{"dangerous" => dangerous}) do
html conn, "<h1>\#{URI.encode(dangerous)}</h1>"
end
- Test it
- Ship it 🚢 and relax 🌴
More information:
- Docs for URI.decode
- OWASP Cheat Sheet - XSS