Need

Prevent injection of malicious scripts into dynamically generated web content

Context

• Usage of Elixir 1.13.0 for building scalable and fault-tolerant applications
• Usage of Plug for request management
• Dynamic content generation

Description

Non compliant code

        defmodule VulnerableController do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/search" do
    results = Search.query(conn.params["query"])
    send_resp(conn, 200, "Search results for: #{conn.params["query"]}")
  end
end
        
        

The '/search' endpoint uses user-provided input directly in the output content. If an attacker provides a script as part of the 'query' parameter, this script will be reflected back in the response and executed by the user's browser, resulting in a reflected XSS vulnerability.

Steps

• Use the functions provided by the Phoenix.HTML package to sanitize user input before including it in dynamic content.
• Replace string interpolation with the 'h' function from Phoenix.HTML when generating dynamic content.

Compliant code

        defmodule SecureController do
  use Plug.Router
  use Phoenix.HTML

  plug :match
  plug :dispatch

  get "/search" do
    results = Search.query(conn.params["query"])
    safe_query = Phoenix.HTML.raw(h(conn.params["query"]))
    send_resp(conn, 200, "Search results for: #{safe_query}")
  end
end
        
        

This solution introduces the use of the 'h' function from the Phoenix.HTML package to sanitize user-provided input. It ensures that any HTML special characters in the input are escaped, preventing them from being interpreted as part of the HTML markup. This prevents scripts from being executed in the user's browser, mitigating the reflected XSS vulnerability.

References

• 008. Reflected cross-site scripting (XSS)