USStateDept
fix reflected cross-site scripting on escape-html
https://github.com/USStateDept/State-TalentMAP/blob/12b41833458ed70bc529103bc2577ffab8ec5e4c/src/obc.js#L24-L24
fix the problem, we need to sanitize the user input before incorporating it into the response. The best way to do this is by using a library that provides HTML escaping functionality. One such library is escape-html, which can be used to escape special characters in the user input, thereby preventing XSS attacks.
Directly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability. This kind of vulnerability is also called reflected cross-site scripting, to distinguish it from other types of cross-site scripting.
POC
The following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.
var app = require('express')();
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id))
// BAD: a request parameter is incorporated without validation into the response
res.send("Unknown user: " + req.params.id);
else
// TODO: do something exciting
;
});
Sanitizing the user-controlled data prevents the vulnerability:
var escape = require('escape-html');
var app = require('express')();
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id))
// GOOD: request parameter is sanitized before incorporating it into the response
res.send("Unknown user: " + escape(req.params.id));
else
// TODO: do something exciting
;
});
References
XSS (Cross Site Scripting) Prevention Cheat Sheet Types of Cross-Site Scripting Cross-site scripting CWE-79 CWE-116
