Sha256: 47f5e9d032d4b6685e8efa16e7454b02f8c0dda1e4581b6b390220044d612234
Contents?: true
Size: 1.22 KB
Versions: 8
Compression:
Stored size: 1.22 KB
Contents
# Copyright (c) 2015 Sqreen. All Rights Reserved.
# Please refer to our terms for more information: https://www.sqreen.io/terms.html
require 'cgi'
require 'sqreen/rules_callbacks/regexp_rule'
module Sqreen
module Rules
# look for reflected XSS
class ReflectedXSSCB < RegexpRuleCB
def pre(_inst, *args, &_block)
value = args[0]
return if value.nil?
# If the value is not marked as html_safe, it will be escaped later
return unless value.html_safe?
# Sqreen::log.debug value
# Sqreen::log.debug params
return unless framework.params_include?(value)
Sqreen.log.debug { format('Found unescaped user param: %s', value) }
return unless value.is_a?(String)
saved_value = value.dup
# potential XSS! let's escape
args[0].replace(CGI.escape_html(value)) if block
# The remaining code is only to find out if user entry was an attack,
# and record it. Since we don't rely on it to respond to user, it would
# be better to do it in background.
found = match_regexp(saved_value)
return unless found
infos = { :found => found }
record_event(infos)
nil
end
end
end
end
Version data entries
8 entries across 8 versions & 1 rubygems