Skip to main content

Insecure Processing of Data

This category covers the following issues:

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Cross-Site Scripting

Fixing Cross-Site Scripting

Option A: Perform output encoding

  1. Go through the issues that GuardRails identified in the PR.

  2. Look for patterns like this:

    def index(conn, %{"dangerous" => dangerous}) do
    put_resp_content_type(conn, "text/html")
    |> send_resp(200, dangerous)
    end

    or:

    def index(conn, %{"dangerous" => dangerous}) do
    html conn, "<h1>\#{dangerous}</h1>"
    end

    or:

    <%= raw(@dangerous_user_input) %>
    # This bypasses the in-built escaping and has to be used with care. Ensure that the
    # content is not coming from request parameters, and is a safe hard-coded string.
  3. And use safe alternatives like:

    def index(conn, %{"dangerous" => dangerous}) do
    put_resp_content_type(conn, "text/plain")
    |> send_resp(200, dangerous)
    end

    or use a function URI.decode to encode dangerous characters :

    def index(conn, %{"dangerous" => dangerous}) do
    html conn, "<h1>\#{URI.encode(dangerous)}</h1>"
    end
  4. Test it

  5. Ship it 🚢 and relax 🌴

More information: