Sha256: 6127794da90413b12761b378478be0af8dbfcf32a65ec6ef49b82c18366404fe
Contents?: true
Size: 1.18 KB
Versions: 6
Compression:
Stored size: 1.18 KB
Contents
# Copyright (c) 2015 Sqreen. All Rights Reserved.
# Please refer to our terms for more information: https://www.sqreen.io/terms.html
require 'cgi'
require 'sqreen/rules_callbacks/regexp_rule'
module Sqreen
module Rules
# look for reflected XSS
class ReflectedXSSCB < RegexpRuleCB
def pre(_inst, *args, &_block)
value = args[0]
return if value.nil?
# If the value is not marked as html_safe, it will be escaped later
return unless value.html_safe?
# Sqreen::log.debug value
# Sqreen::log.debug params
return unless framework.params_include?(value)
Sqreen.log.debug { format('Found unescaped user param: %s', value) }
saved_value = value.dup
# potential XSS! let's escape
args[0].replace(CGI.escape_html(value)) if block
# The remaining code is only to find out if user entry was an attack,
# and record it. Since we don't rely on it to respond to user, it would
# be better to do it in background.
found = match_regexp(saved_value)
return unless found
infos = { :found => found }
record_event(infos)
nil
end
end
end
end
Version data entries
6 entries across 6 versions & 1 rubygems