Packages
sobelow
0.4.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/xss.ex
defmodule Sobelow.XSS do
@moduledoc """
# Cross-Site Scripting
Cross-Site Scripting (XSS) vulnerabilities are a result
of rendering untrusted input on a page without proper encoding.
XSS may allow an attacker to perform actions on behalf of
other users, steal session tokens, or access private data.
Read more about XSS here:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
XSS checks can be ignored with the following command:
$ mix sobelow -i XSS
"""
alias Sobelow.XSS.Raw
@submodules [Sobelow.XSS.SendResp,
Sobelow.XSS.Raw]
use Sobelow.Finding
def get_vulns(fun, filename, web_root, skip_mods \\ []) do
controller = String.replace_suffix(filename, "_controller.ex", "")
controller = String.replace_prefix(controller, "/controllers/", "")
controller = String.replace_prefix(controller, "/web/controllers/", "")
controller = String.replace_prefix(controller, "/#{Sobelow.get_env(:app_name)}/web/controllers/", "")
path = web_root <> String.replace_prefix(filename, "/web/", "")
|> Path.expand("")
|> String.replace_prefix("/", "")
allowed = @submodules -- (Sobelow.get_ignored() ++ skip_mods)
Enum.each allowed, fn mod ->
if mod === Raw do
apply(mod, :run, [fun, path, web_root, controller])
else
apply(mod, :run, [fun, path])
end
end
end
end