Add more verbose description for TaintedHtml (#4668)

Ref https://github.com/vimeo/psalm/issues/4590
2024-11-26 20:34:47 +01:00 · 2020-11-23 01:14:48 +01:00 · 2020-11-23 01:14:48 +01:00 · 2f8a5028d5
commit 2f8a5028d5
parent 3c7066f505
1 changed files with 27 additions and 0 deletions
--- a/docs/running_psalm/issues/TaintedHtml.md
+++ b/docs/running_psalm/issues/TaintedHtml.md
@ -2,6 +2,22 @@

 Emitted when user-controlled input can be passed into to an `echo` statement.

+## Risk
+
+This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:
+
+- Stealing authentication material (e.g. cookies, JWT tokens)
+- Exfiltrate sensitive information by reading the DOM
+- Keylog entries on the website (e.g. fake login form)
+
+Wheter this is exploitable or not depends on a few conditions:
+
+- Is an executable mimetype set? (e.g. `text/html`)
+- Is the content served inline or as attachment? (`Content-Disposition`)
+- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)
+
+## Example
+
 ```php
 <?php

@ -13,3 +29,14 @@ function printName(string $name) {
    echo $name;
 }
 ```
+
+## Mitigations
+
+- Sanitize user-input by using functions such as `htmlentities` or use an allowlist.
+- Set all cookies to `HTTPOnly`.
+- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.
+
+## Further resources
+
+- [OWASP Wiki for Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
+- [Content-Security-Policy - Web Fundamentals](https://developers.google.com/web/fundamentals/security/csp)