Name: Client side cross-site scripting


Writing user input directly to the DOM allows for a cross-site scripting vulnerability.

ID: js/xss

Kind: path-problem

Severity: error

Precision: high

 * @name Client side cross-site scripting
 * @description Writing user input directly to the DOM allows for
 *              a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
 * @precision high
 * @id js/xss
 * @tags security
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116

import javascript
import DataFlow::PathGraph

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
       source.getNode(), "user-provided value"

Directly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.

This kind of vulnerability is also called DOM-based cross-site scripting, to distinguish it from other types of cross-site scripting.


To guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.


The following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.

     1function setLanguageOptions() {
     2    var href = document.location.href,
     3        deflt = href.substring(href.indexOf("default=")+8);
     4    document.write("<OPTION value=1>"+deflt+"</OPTION>");
     5    document.write("<OPTION value=2>English</OPTION>");
function setLanguageOptions() {
    var href = document.location.href,
        deflt = href.substring(href.indexOf("default=")+8);
    document.write("<OPTION value=1>"+deflt+"</OPTION>");
    document.write("<OPTION value=2>English</OPTION>");