Skip to content

Commit c04ac32

Browse files
david-a-wheelerdavid-a-wheeler
authored
Merge pull request #762 from ossf/missing_js
Add missing xss.js file
2 parents 8b52e14 + 41e3154 commit c04ac32

File tree

1 file changed

+51
-0
lines changed

1 file changed

+51
-0
lines changed

docs/labs/xss.js

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
info =
2+
{
3+
hints: [
4+
{
5+
absent: "autoescape",
6+
text: "Add an `autoescape=` parameter."
7+
},
8+
{
9+
present: String.raw`autoescape [^:\x20]`,
10+
text: "The name `autoescape` needs to be followed by `=`."
11+
},
12+
{
13+
present: "(Autoescape|AUTOESCAPE)",
14+
text: "The name `autoescape` must be in all lowercase."
15+
},
16+
{
17+
present: "([Aa]uto_[Ee]scape|AUTO_ESCAPE)",
18+
text: "Use `autoescape` in all lowercase with no underscores."
19+
},
20+
{
21+
present: String.raw`\| safe`,
22+
index: 1,
23+
text: "The text `| safe` indicates that this text is trusted and should not be escaped further. However, in context this data could be provided from an attacker and is NOT safe. Remove the marking."
24+
},
25+
{
26+
present: String.raw`\|`,
27+
index: 1,
28+
text: "The `|` is used to separate the computed value from the safe marking, but we will not use that marking. Remove the vertical bar."
29+
},
30+
{
31+
present: String.raw`Markup \(.*\+.*\)`,
32+
index: 2,
33+
text: "Having a concatenation (+) *inside* the call to Markup is a vulnerability. The call to Markup presumes we are passing text that is *not* supposed be escaped. If it is supposed to be escaped, it should be concatenated outside the initial construction of the Markup object."
34+
},
35+
{
36+
absent: String.raw`\+`,
37+
index: 2,
38+
text: "Our expected answer includes concatentation using `+`. We expect something like `Markup('Original name='` followed by `+` followed by the variable containing the data that needs to be escaped."
39+
}
40+
],
41+
expected: [
42+
'autoescape=select_autoescape()',
43+
'<h1>Hello {{ person }}!</h1>',
44+
`result = Markup('Original name=') + name`
45+
],
46+
correct: [
47+
String.raw`\s* autoescape = select_autoescape \( \) \s*`,
48+
String.raw`\s* < h1 >Hello\x20{{ person }}!< /h1 > \s*`,
49+
String.raw`\s* result = Markup \( ('Original name='|"Original name=") \) \+ name \s*`
50+
],
51+
}

0 commit comments

Comments
 (0)