From c1ac735bfb2fde35d4a5b7cab53134a0ae9a197d Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 27 Jul 2023 21:09:35 +0200 Subject: [PATCH] no-backticks-in-js-handlers.yaml: fixes - better wording - comprehensive regex matching --- .../semgrep_rules/web/no-backticks-in-js-handlers.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml index c24637a5..06c149bb 100644 --- a/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml +++ b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml @@ -1,5 +1,8 @@ rules: - id: no-backticks-in-js-handlers + metadata: + author: Andrea Brancaleoni @ Brave + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml patterns: - pattern-either: - pattern-inside: $HANDLER="..." @@ -8,10 +11,10 @@ rules: - pattern-regex: '`{{[^}]+}}`' - metavariable-regex: metavariable: $HANDLER - regex: on(abort|auxclick|beforeinput|beforematch|beforetoggle|cancel|canplay|canplaythrough|change|click|close|contextlost|contextmenu|contextrestored|copy|cuechange|cut|dblclick|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|durationchange|emptied|ended|formdata|input|invalid|keydown|keypress|keyup|loadeddata|loadedmetadata|loadstart|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|paste|pause|play|playing|progress|ratechange|reset|securitypolicyviolation|seeked|seeking|select|slotchange|stalled|submit|suspend|timeupdate|toggle|volumechange|waiting|webkitAnimationEnd|webkitAnimationIteration|webkitAnimationStart|webkitTransitionEnd|wheel) + regex: (?i)on[a-z]{3,40} message: | - Backtick in JS handler may cause XSS since they are typically not auto escaped in variables. + Backtick in JS handler may cause XSS since they are typically not auto-escaped in variables. - Consider using single or double apices, instead of backticks. + Consider using single or double quotes instead of backticks. languages: [generic] severity: WARNING