You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: swift/ql/src/queries/Security/CWE-116/BadTagFilter.qhelp
+7-9Lines changed: 7 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -5,13 +5,13 @@
5
5
6
6
<overview>
7
7
<p>
8
-
It is possible to match some single HTML tags using regular expressions (parsing general HTML using
9
-
regular expressions is impossible). However, if the regular expression is not written well it might
8
+
It is possible to match some single HTML tags using regular expressions (parsing general HTML using
9
+
regular expressions is impossible). However, if the regular expression is not written well it might
10
10
be possible to circumvent it, which can lead to cross-site scripting or other security issues.
11
11
</p>
12
12
<p>
13
13
Some of these mistakes are caused by browsers having very forgiving HTML parsers, and
14
-
will often render invalid HTML containing syntax errors.
14
+
will often render invalid HTML containing syntax errors.
15
15
Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.
16
16
</p>
17
17
</overview>
@@ -28,17 +28,17 @@ likely to handle corner cases correctly than a custom implementation.
28
28
The following example attempts to filters out all <code><script></code> tags.
29
29
</p>
30
30
31
-
<samplesrc="examples/BadTagFilter.rb" />
31
+
<samplesrc="examples/BadTagFilterBad.swift" />
32
32
33
33
<p>
34
-
The above sanitizer does not filter out all <code><script></code> tags.
34
+
The above sanitizer does not filter out all <code><script></code> tags.
35
35
Browsers will not only accept <code></script></code> as script end tags, but also tags such as <code></script foo="bar"></code> even though it is a parser error.
36
-
This means that an attack string such as <code><script>alert(1)</script foo="bar"></code> will not be filtered by
36
+
This means that an attack string such as <code><script>alert(1)</script foo="bar"></code> will not be filtered by
37
37
the function, and <code>alert(1)</code> will be executed by a browser if the string is rendered as HTML.
38
38
</p>
39
39
40
40
<p>
41
-
Other corner cases include that HTML comments can end with <code>--!></code>,
41
+
Other corner cases include that HTML comments can end with <code>--!></code>,
42
42
and that HTML tag names can contain upper case characters.
43
43
</p>
44
44
</example>
@@ -50,5 +50,3 @@ and that HTML tag names can contain upper case characters.
50
50
<li>stackoverflow.com: <ahref="https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html">Why aren't browsers strict about HTML?</a>.</li>
0 commit comments