Skip to content

Commit

Permalink
Merge pull request #762 from ossf/missing_js
Browse files Browse the repository at this point in the history
Add missing xss.js file
david-a-wheeler authored Jan 30, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
2 parents 8b52e14 + 41e3154 commit c04ac32
Showing 1 changed file with 51 additions and 0 deletions.
51 changes: 51 additions & 0 deletions docs/labs/xss.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
info =
{
hints: [
{
absent: "autoescape",
text: "Add an `autoescape=` parameter."
},
{
present: String.raw`autoescape [^:\x20]`,
text: "The name `autoescape` needs to be followed by `=`."
},
{
present: "(Autoescape|AUTOESCAPE)",
text: "The name `autoescape` must be in all lowercase."
},
{
present: "([Aa]uto_[Ee]scape|AUTO_ESCAPE)",
text: "Use `autoescape` in all lowercase with no underscores."
},
{
present: String.raw`\| safe`,
index: 1,
text: "The text `| safe` indicates that this text is trusted and should not be escaped further. However, in context this data could be provided from an attacker and is NOT safe. Remove the marking."
},
{
present: String.raw`\|`,
index: 1,
text: "The `|` is used to separate the computed value from the safe marking, but we will not use that marking. Remove the vertical bar."
},
{
present: String.raw`Markup \(.*\+.*\)`,
index: 2,
text: "Having a concatenation (+) *inside* the call to Markup is a vulnerability. The call to Markup presumes we are passing text that is *not* supposed be escaped. If it is supposed to be escaped, it should be concatenated outside the initial construction of the Markup object."
},
{
absent: String.raw`\+`,
index: 2,
text: "Our expected answer includes concatentation using `+`. We expect something like `Markup('Original name='` followed by `+` followed by the variable containing the data that needs to be escaped."
}
],
expected: [
'autoescape=select_autoescape()',
'<h1>Hello {{ person }}!</h1>',
`result = Markup('Original name=') + name`
],
correct: [
String.raw`\s* autoescape = select_autoescape \( \) \s*`,
String.raw`\s* < h1 >Hello\x20{{ person }}!< /h1 > \s*`,
String.raw`\s* result = Markup \( ('Original name='|"Original name=") \) \+ name \s*`
],
}

0 comments on commit c04ac32

Please sign in to comment.