Usage of manual HTML sanitization (XSS)
- Rule ID: ruby_lang_manual_html_sanitization
- Languages: ruby
- Source: manual_html_sanitization.yml
Description
Manual HTML sanitization can introduce Cross-Site Scripting (XSS) vulnerabilities. This security risk arises when developers attempt to manually escape HTML entities, which is a process prone to errors and oversights, potentially leaving the application vulnerable to XSS attacks.
Remediations
- Do not manually escape HTML to sanitize user input. This method is unreliable and can easily miss certain exploits.
sanitized_user_input = user.Input
.gsub('<', '<') # unsafe
.gsub('>', '>') # unsafe
html = "<strong>#{sanitized_user_input}</strong>" - Do use a HTML sanitization library to handle user input safely. Libraries are designed to comprehensively sanitize input, protecting against XSS attacks.
html = sanitize("<strong>#{user.Input}</strong>")
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_lang_manual_html_sanitizationTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_lang_manual_html_sanitization