Need

Prevent XSS vulnerabilities due to unvalidated user input in server error responses

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Phoenix framework for request handling

Description

Non compliant code

        defmodule MyApp.ErrorHandlerController do
  use MyAppWeb, :controller

  def error(conn, %{'msg' => msg}) do
    send_resp(conn, 500, msg)
  end
end
        
        

This code is vulnerable because it directly includes the 'msg' parameter from the user input in the server error response without any validation or sanitization. This can lead to a Cross-Site Scripting (XSS) attack if a user includes malicious script in the 'msg' parameter.

Steps

• Install the 'phoenix_html' library if it's not already included in your project. This library provides functions to escape potentially unsafe characters.
• In the error function, use the 'Phoenix.HTML.html_escape/1' function to sanitize the 'msg' parameter before including it in the server response.

Compliant code

        defmodule MyApp.ErrorHandlerController do
  use MyAppWeb, :controller

  def error(conn, %{'msg' => msg}) do
    sanitized_msg = Phoenix.HTML.html_escape(msg)
    send_resp(conn, 500, sanitized_msg)
  end
end
        
        

This code is secure because it uses the 'html_escape/1' function from the 'Phoenix.HTML' module to sanitize the 'msg' parameter. This function escapes potentially unsafe characters, thereby preventing any scripts included in the 'msg' parameter from being executed.

References

• 192. Lack of data validation - Reflected Parameters