{
"id": "63f7463a579c6d8770d6f026b690a38a616ee76465382607b73ea39b493523de",
"category": "sast",
"name": "Improper neutralization of input during web page generation ('Cross-site Scripting')",
"description": "The application was found calling `dangerouslySetInnerHTML` which may lead to Cross Site\nScripting (XSS). By default, React components will encode the data properly before rendering.\nCalling `dangerouslySetInnerHTML` disables this encoding and allows raw markup\nand JavaScript to be executed.\n\nXSS is an attack which exploits a web application or system to treat\nuser input as markup or script code. It is important to encode the data, depending on the\nspecific context it is used in. There are at least six context types:\n\n- Inside HTML tags `<div>context 1</div>`\n- Inside attributes: `<div class=\"context 2\"></div>`\n- Inside event attributes `<button onclick=\"context 3\">button</button>`\n- Inside script blocks: `<script>var x = \"context 4\"</script>`\n- Unsafe element HTML assignment: `element.innerHTML = \"context 5\"`\n- Inside URLs: `<iframe src=\"context 6\"></iframe><a href=\"context 6\">link</a>`\n\nScript blocks alone have multiple ways they need to be encoded. Extra care must be taken if\nuser input\nis ever output inside of script tags.\n\nUser input that is displayed within the application must be encoded, sanitized or validated\nto ensure it cannot be treated as HTML or executed as Javascript code. Care must also be\ntaken\nto not mix server-side templating with client-side templating, as the server-side templating\nwill\nnot encode things like {{ 7*7 }} which may execute client-side templating features.\n\nIt is _NOT_ advised to encode user input prior to inserting into a data store. The data will\nneed to be\nencoded depending on context of where it is output. It is much safer to force the displaying\nsystem to\nhandle the encoding and not attempt to guess how it should be encoded.\n\nRemove the call to `dangerouslySetInnerHTML` or ensure that the data used in this call does\nnot come from user-supplied input.\n\nFor more information on dangerously setting inner HTML see:\n- https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html\n",
"cve": "semgrep_id:eslint.react-dangerouslysetinnerhtml:75:83",
"severity": "Medium",
"scanner": {
"id": "semgrep",
"name": "Semgrep"
},
"location": {
"file": "docs/src/theme/Footer/index.js",
"start_line": 75,
"end_line": 83
},
"identifiers": [
{
"type": "semgrep_id",
"name": "eslint.react-dangerouslysetinnerhtml",
"value": "eslint.react-dangerouslysetinnerhtml",
"url": "https://semgrep.dev/r/gitlab.eslint.react-dangerouslysetinnerhtml"
},
{
"type": "cwe",
"name": "CWE-79",
"value": "79",
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"type": "owasp",
"name": "A03:2021 - Injection",
"value": "A03:2021"
},
{
"type": "owasp",
"name": "A7:2017 - Cross-Site Scripting (XSS)",
"value": "A7:2017"
},
{
"type": "eslint_rule_id",
"name": "ESLint rule ID/react-dangerouslysetinnerhtml",
"value": "react-dangerouslysetinnerhtml"
}
]
}