-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Features/ruleset no backticks in js handlers #292
Conversation
@@ -0,0 +1,6 @@ | |||
// ruleid: no-backticks-in-js-handlers | |||
onclick="call('good', `{{var}}`, `{{var}}`)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIL
In written Latin, the apex (plural "apices") is a mark with roughly the shape of an acute accent ◌́ which was sometimes placed over vowels to indicate that they are long.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
now you know what they mean by "apex twins" :P
// ruleid: no-backticks-in-js-handlers | ||
onclick="call('good', `{{var}}`, `{{var}}`)" | ||
// ruleid: no-backticks-in-js-handlers | ||
onclick='call("good", `{{var}}`, `{{var}}`)' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
// ruleid: no-backticks-in-js-handlers | ||
onclick='call("good", `{{var}}`, `{{var}}`)' | ||
// ruleid: no-backticks-in-js-handlers | ||
onclick=call('good', `{{var}}`, `{{var}}`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
@@ -0,0 +1,6 @@ | |||
// ruleid: no-backticks-in-js-handlers | |||
onclick="call('good', `{{var}}`, `{{var}}`)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
// ruleid: no-backticks-in-js-handlers | ||
onclick="call('good', `{{var}}`, `{{var}}`)" | ||
// ruleid: no-backticks-in-js-handlers | ||
onclick='call("good", `{{var}}`, `{{var}}`)' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
// ruleid: no-backticks-in-js-handlers | ||
onclick='call("good", `{{var}}`, `{{var}}`)' | ||
// ruleid: no-backticks-in-js-handlers | ||
onclick=call('good', `{{var}}`, `{{var}}`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Backtick in JS handler may cause XSS since they are typically not auto escaped in variables.
Consider using single or double apices, instead of backticks.
Source: https://github.com/brave/security-action
Cc @thypon @bcaller
54a2e41
to
29ee4de
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry to nit
No description provided.