OeditusCredo.Check.Security.XSSVulnerability (OeditusCredo v0.6.3)

Basics

This check has a base priority of higher and works with any version of Elixir.

Explanation

Detects potential Cross-Site Scripting (XSS) vulnerabilities (CWE-79).

Rendering unescaped user-controlled HTML with raw/1 or {:safe, ...} can allow script injection.

This check skips string literals, ~S sigils, and ~s sigils that contain no #{} interpolation (all compile-time constants). Backslash escape sequences (\n, \t, etc.) are allowed because they do not introduce user-controlled content.

If you see a ~s without interpolation or escape sequences being used with raw/1, consider switching to ~S -- see OeditusCredo.Check.Readability.UnnecessaryInterpolatingSigil.

Bad:

raw(user_input)
{:safe, user_html}

Good:

# Let Phoenix escape by default
content_tag(:div, user_input)

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.