Packages
sobelow
0.10.6
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/xss.ex
defmodule Sobelow.XSS do
@moduledoc """
# Cross-Site Scripting
Cross-Site Scripting (XSS) vulnerabilities are a result
of rendering untrusted input on a page without proper encoding.
XSS may allow an attacker to perform actions on behalf of
other users, steal session tokens, or access private data.
Read more about XSS here:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
XSS checks can be ignored with the following command:
$ mix sobelow -i XSS
"""
alias Sobelow.XSS.Raw
@submodules [Sobelow.XSS.SendResp, Sobelow.XSS.ContentType, Sobelow.XSS.Raw, Sobelow.XSS.HTML]
use Sobelow.FindingType
def get_vulns(fun, meta_file, web_root, skip_mods \\ []) do
controller =
if meta_file.is_controller? do
String.replace_suffix(meta_file.filename, "_controller.ex", "")
|> Path.basename()
end
allowed = @submodules -- (Sobelow.get_ignored() ++ skip_mods)
Enum.each(allowed, fn mod ->
if mod === Raw do
apply(mod, :run, [fun, meta_file, web_root, controller])
else
apply(mod, :run, [fun, meta_file])
end
end)
end
def get_template_vulns(meta_file) do
allowed = @submodules -- Sobelow.get_ignored()
funs = meta_file.raw
if Enum.member?(allowed, Raw) do
Enum.each(funs, fn fun ->
apply(Raw, :run, [[fun], meta_file, nil, nil])
end)
end
end
def details() do
IO.ANSI.Docs.print(@moduledoc, [])
end
end