OeditusCredo.Check.Security.XSSVulnerability
(OeditusCredo v0.6.2)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of higher and works with any version of Elixir.
Explanation
Detects potential Cross-Site Scripting (XSS) vulnerabilities (CWE-79).
Rendering unescaped user-controlled HTML with raw/1 or {:safe, ...}
can allow script injection.
This check skips string literals, ~S sigils, and ~s sigils that
contain no interpolation (all compile-time constants). If you see a
~s without interpolation being used with raw/1, consider switching
to ~S -- see OeditusCredo.Check.Readability.UnnecessaryInterpolatingSigil.
Bad:
raw(user_input)
{:safe, user_html}Good:
# Let Phoenix escape by default
content_tag(:div, user_input)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.