Reflected server-side cross-site scripting¶
ID: rb/reflected-xssKind: path-problemSecurity severity: 6.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-079 - external/cwe/cwe-116Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly writing user input (for example, an HTTP request parameter) to a webpage, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.
Recommendation¶
To guard against cross-site scripting, escape user input before writing it to the page. Some frameworks, such as Rails, perform this escaping implicitly and by default.
Take care when using methods such ashtml_safe orraw. They can be used to emit a string without escaping it, and should only be used when the string has already been manually escaped (for example, with the Railshtml_escape method), or when the content is otherwise guaranteed to be safe (such as a hard-coded string).
Example¶
The following example is safe because theparams[:user_name] content within the output tags will be HTML-escaped automatically before being emitted.
<p>Hello <%= params[:user_name] %>!</p>
However, the following example is unsafe because user-controlled input is emitted without escaping, since it is marked ashtml_safe.
<p>Hello <%= params[:user_name].html_safe %>!</p>
References¶
OWASP:XSS Ruby on Rails Cheatsheet.
Wikipedia:Cross-site scripting.
Common Weakness Enumeration:CWE-79.
Common Weakness Enumeration:CWE-116.