detect-disable-mustache-escape

oscar143

SecurityWarning

No tags

No CWE or CVE

security/detect-disable-mustache-escape

Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities

This can lead to Cross-Site Scripting (XSS) vulnerabilities.

More information: OWASP XSS

Ast Rule: assignment

detect-disable-mustache-escape

How to write a rule

function visit(node, filename, code) {
	if (
		node?.left?.parent &&
		node?.left?.name?.value === "escapeMarkup" &&
		node?.right?.value === "false"
	) {
		addError(buildError(
			node.start.line,
			node.start.col,
			node.end.line,
			node.end.col,
			`Markup escaping disabled.`,
			"WARNING",
			"SECURITY",
		));
	}
}

good.js

Expected test result: no error

escapeMarkup = false;
a.escapeMarkup = true;

bad.js

Expected test result: has error


a.escapeMarkup = false;

Add comment

Be the first one to leave a comment!