Skip to content

Semgrep html rules

html_generic_rule_reflected_xss

Summary:

Improper neutralization of user input rendered in HTML ('XSS')

Severity: High

CWE: CWE-79

Description:

The HTML template contains potentially dangerous patterns where user-controlled variables may be executed in unsafe contexts. This includes: (1) document.write() or eval() calls within <script> blocks that process unescaped template variables, (2) DOM manipulation via .innerHTML or .outerHTML properties which can execute embedded scripts, (3) CSS <style> blocks using legacy :expression() syntax or template interpolation, (4) template variables in backticks which enable template literal injection, and (5) unescaped template variables in URL attributes (href, src, action, data, http-equiv, style, background-image) which can enable javascript: protocol handlers or data URIs containing scripts. These patterns bypass template auto-escaping and create Cross-Site Scripting (XSS) vulnerabilities where attackers can execute arbitrary JavaScript in victims' browsers.

Remediation:

Consider avoiding document.write() and eval() entirely as they are inherently unsafe with user data. Use DOM manipulation methods like textContent instead of innerHTML to insert user data as text rather than HTML. Remove legacy CSS :expression() syntax which is only supported in old IE versions. Avoid template literal interpolation with backticks for user-supplied data. For URL attributes, validate that URLs use safe protocols (http/https) and avoid javascript: or data: URLs with user input. Use template engine escaping filters appropriate to the context - for Django use | urlencode for URL parameters, | escapejs for JavaScript strings, and rely on default auto-escaping for HTML. Implement Content Security Policy (CSP) headers with script-src 'self' to block inline JavaScript and unsafe-eval as defense-in-depth protection.

OWASP:

  • A7:2017-Cross-Site Scripting (XSS)
  • A03:2021-Injection

html_tornado_rule_reflected_xss

Summary:

Improper neutralization of user input rendered in HTML ('XSS')

Severity: High

CWE: CWE-79

Description:

The Tornado HTML template is disabling automatic HTML escaping using {% autoescape None %} globally, or bypassing escaping locally using {% raw ... %} blocks or the {{! ... }} syntax. This creates Cross-Site Scripting (XSS) vulnerabilities when user-controlled data is rendered in these unescaped contexts. Tornado's default auto-escaping protects against XSS by encoding HTML special characters, and these directives explicitly bypass that protection. Global disabling with {% autoescape None %} affects the entire template and all included templates, making it particularly dangerous. The {% raw %} block and {{! }} syntax output content without any escaping, allowing malicious HTML and JavaScript to execute directly in the browser if user input is involved.

Remediation:

Consider keeping Tornado's default auto-escaping enabled by removing {% autoescape None %} from templates or using {% autoescape xhtml_escape %} explicitly. Avoid using {% raw %} blocks and {{! }} syntax on any user-supplied data - reserve these only for trusted HTML from your application code. If you need to render rich user-generated content that requires HTML, use a whitelist-based sanitizer like bleach or nh3 to clean the HTML in Python before passing it to the template. Use Tornado's escaping functions in Python code: tornado.escape.xhtml_escape() for HTML contexts, tornado.escape.url_escape() for URLs, and tornado.escape.json_encode() for JSON. Implement Content Security Policy (CSP) headers using Tornado's set_header() method to provide defense-in-depth protection against XSS attacks even if escaping is accidentally bypassed.

OWASP:

  • A7:2017-Cross-Site Scripting (XSS)
  • A03:2021-Injection