Unsanitized user input in output stream (XSS)

• Rule ID: python_django_response_using_user_input
• Languages: python
• Source: response_using_user_input.yml

Description

Cross-site scripting (XSS) vulnerabilities occur when unsanitized user input is included in web page content. This flaw can lead to malicious scripts being executed in the context of the user's browser, compromising the security of user data and interactions with the application.

Remediations

• Do use templating engines that automatically encode data based on its context.
• Do use an encoder to handle user input before incorporating it into the output stream. This step helps minimize the risk of XSS attacks by converting potentially dangerous characters into a safe format.

  user_input = request.GET["user"]
  encoded_user_input = django.utils.html.escape(user_input)
  response = HttpResponse(encoded_user_input)

• Do sanitize user input to remove or neutralize unwanted scripts. Sanitization goes beyond encoding by actively removing harmful content from user input before it is used in the output.

  user_input = request.GET["user"]
  sanitized_user_input = django.utils.html.strip_tags(user_input)
  response = HttpResponse(sanitized_user_input)

References

• OWASP XSS Prevention Cheatsheet

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_response_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_response_using_user_input