Usage of manual HTML sanitization (XSS)

• Rule ID: python_lang_manual_html_sanitization
• Languages: python
• Source: manual_html_sanitization.yml

Description

Manually sanitizing HTML is prone to mistakes and can lead to Cross-Site Scripting (XSS) vulnerabilities. This occurs when user input is not properly sanitized, allowing attackers to inject malicious scripts into web pages viewed by other users.

Remediations

• Do not manually escape HTML to sanitize user input. This method is unreliable and can easily miss certain exploits.

  sanitized_value = user_input.replace('<', '&lt;').replace('>', '&gt;'); # unsafe
  html = f"<strong>{sanitized_value}</strong>"

• Do use a trusted HTML sanitization library to handle user input safely. Libraries designed for sanitization are more reliable as they cover a wide range of XSS attack vectors.

  from html_sanitizer import Sanitizer
  
  sanitizer = Sanitizer()
  sanitized_value = sanitizer.sanitize(user_input)
  
  html = f"<strong>{sanitized_value}</strong>"

References

• OWASP XSS explained

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_manual_html_sanitization

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_manual_html_sanitization