labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

XSS False positive inside = javascript_tag

Open kwerle opened this issue 1 year ago • 1 comments

It seems like anything inside a javascript_tag that starts with escape_javascript should be safe, right? (note that we customize our javascript_tag method to add some content to it) Methods and classes mostly anonymized.

== Brakeman Report ==

Application Path: /code
Rails Version: 7.0.8.5
Brakeman Version: 6.2.2
...

== Overview ==

...

== Warning Types ==

Cross-Site Scripting: 1

== Warnings ==

Confidence: Weak
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped parameter value
Code: escape_javascript(RailsClass.new(RailsClass2.find(params[:some_param_id])).some_method((current_user and current_user.some_method).things.find(params[:some_id])).some_method)
File: app/views/explore/display_options/_some_partial.html.haml
Line: 30

Code sketch:

  = javascript_tag do
    :plain
      ...
      my_function('#{escape_javascript(some_object.some_method)}');
      ...

kwerle avatar Nov 25 '24 19:11 kwerle

It seems like anything inside a javascript_tag that starts with escape_javascript should be safe, right?

That would be nice, but no. I wrote a blog post about it a while back: https://blog.presidentbeef.com/blog/2020/05/12/why-escape-javascript-is-dangerous/

Last time I checked, the only safe use is the code you have here - within a JavaScript string. So this is a false positive.

presidentbeef avatar Nov 25 '24 20:11 presidentbeef