diff --git a/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml new file mode 100644 index 00000000..c24637a5 --- /dev/null +++ b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml @@ -0,0 +1,17 @@ +rules: + - id: no-backticks-in-js-handlers + patterns: + - pattern-either: + - pattern-inside: $HANDLER="..." + - pattern-inside: $HANDLER='...' + - pattern-inside: $HANDLER=... + - pattern-regex: '`{{[^}]+}}`' + - metavariable-regex: + metavariable: $HANDLER + regex: on(abort|auxclick|beforeinput|beforematch|beforetoggle|cancel|canplay|canplaythrough|change|click|close|contextlost|contextmenu|contextrestored|copy|cuechange|cut|dblclick|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|durationchange|emptied|ended|formdata|input|invalid|keydown|keypress|keyup|loadeddata|loadedmetadata|loadstart|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|paste|pause|play|playing|progress|ratechange|reset|securitypolicyviolation|seeked|seeking|select|slotchange|stalled|submit|suspend|timeupdate|toggle|volumechange|waiting|webkitAnimationEnd|webkitAnimationIteration|webkitAnimationStart|webkitTransitionEnd|wheel) + message: | + Backtick in JS handler may cause XSS since they are typically not auto escaped in variables. + + Consider using single or double apices, instead of backticks. + languages: [generic] + severity: WARNING diff --git a/t3sts/semgrep_rules/no-backticks-in-js-handlers.html b/t3sts/semgrep_rules/no-backticks-in-js-handlers.html new file mode 100644 index 00000000..807101f3 --- /dev/null +++ b/t3sts/semgrep_rules/no-backticks-in-js-handlers.html @@ -0,0 +1,6 @@ +// ruleid: no-backticks-in-js-handlers +onclick="call('good', `{{var}}`, `{{var}}`)" +// ruleid: no-backticks-in-js-handlers +onclick='call("good", `{{var}}`, `{{var}}`)' +// ruleid: no-backticks-in-js-handlers +onclick=call('good', `{{var}}`, `{{var}}`)