diff options
author | Guillaume Peoc'h <guillaume.peoch@sonarsource.com> | 2022-08-30 10:30:24 +0200 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2022-08-31 20:03:03 +0000 |
commit | bb25868c68dc3c6639b958f06925528fb0d888d3 (patch) | |
tree | 8dba3a81857d7399313a48aaaee6fc3fafa3cf9d /plugins | |
parent | f04d1975aa5892a5a4ce236705cc5c4cd668d669 (diff) | |
download | sonarqube-bb25868c68dc3c6639b958f06925528fb0d888d3.tar.gz sonarqube-bb25868c68dc3c6639b958f06925528fb0d888d3.zip |
SONAR-17201 Sanitize code before injecting it in DOM + UI fix
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/sonar-education-plugin/src/main/resources/org/sonar/education/2codeSnippets.html | 107 |
1 files changed, 66 insertions, 41 deletions
diff --git a/plugins/sonar-education-plugin/src/main/resources/org/sonar/education/2codeSnippets.html b/plugins/sonar-education-plugin/src/main/resources/org/sonar/education/2codeSnippets.html index 9889cbc5ebd..137d0a02b79 100644 --- a/plugins/sonar-education-plugin/src/main/resources/org/sonar/education/2codeSnippets.html +++ b/plugins/sonar-education-plugin/src/main/resources/org/sonar/education/2codeSnippets.html @@ -1,45 +1,70 @@ -<p>An infinite loop is one that will never end while the program is running, i.e., you have to kill the program to get out of the loop. Whether it is - by meeting the loop’s end condition or via a <code>break</code>, every loop should have an end condition.</p> -<h3>Known Limitations</h3> -<ul> - <li> False positives: when <code>yield</code> is used - <a href="https://github.com/SonarSource/SonarJS/issues/674">Issue #674</a>. </li> - <li> False positives: when an exception is raised by a function invoked within the loop. </li> - <li> False negatives: when a loop condition is based on an element of an array or object. </li> -</ul> -<h2>Noncompliant Code Example</h2> -<pre data-diff-id="example-1" data-diff-type="noncompliant">for (;;) { // Noncompliant; end condition omitted - // ... -} +<p>This is an example of an attempt to run some code on our</p> +<h3>Cross-site scripting (XSS) attack</h3> -var j = 0; -while (true) { // Noncompliant; constant end condition - j++; -} +<p> + Assistive technologies, such as screen readers, use <code><th></code> headers to provide + some context when users navigates a table. Without it the user gets rapidly lost in the flow of + data. +</p> +<p> + Headers should be properly associated with the corresponding <code><td></code> cells by + using either a <code>scope</code> attribute or <code>headers</code> and + <code>id</code> attributes. See <a href="https://www.w3.org/WAI/tutorials/tables/tips/" + >W3C WAI Web Accessibility Tutorials</a + > for more information. +</p> +<p> + This rule raises an issue whenever a <code><table></code> does not contain + any <code><th></code> elements. +</p> -var k; -var b = true; -while (b) { // Noncompliant; constant end condition - k++; -} -</pre> -<h2>Compliant Solution</h2> -<pre data-diff-id="example-1" data-diff-type="compliant">while (true) { // break will potentially allow leaving the loop - if (someCondition) { - break; - } -} +<p> + Moreover in this example, we attempted a Cross-site scripting attack by adding a script tag and + adding a onload property to the pre tag. The code being sanitized before being injected in the DOM + prevents us from being vulnerable. +</p> -var k; -var b = true; -while (b) { - k++; - b = k < 10; -} +<h2>Noncompliant Code Example</h2> +<pre data-diff-id="example-1" data-diff-type="noncompliant" onload="alert('You got hacked')"> +<table> <!-- Noncompliant --> + <tr> + <td>Name</td> + <td>Age</td> + </tr> + <tr> + <td>John Doe</td> + <td>24</td> + </tr> + <tr> + <td>Alice Doe</td> + <td>54</td> + </tr> +</table> + <script> + alert('you got hacked!!'); + </script> +</pre> -outer: -while(true) { - while(true) { - break outer; - } -} -</pre>
\ No newline at end of file +<h2>Compliant Solution</h2> +<pre data-diff-id="example-1" data-diff-type="compliant"> +<table> + <tr> + <th scope="col">Name</th> + <th scope="col">Age</th> + </tr> + <tr> + <td>John Doe</td> + <td>24</td> + </tr> + <tr> + <td>Alice Doe</td> + <td>54</td> + </tr> +</table> +<script> + alert('nevermind, you good..'); +</script> + <script> + alert('nevermind, you good..'); + </script> +</pre> |