зеркало из https://github.com/microsoft/DevSkim.git
777 B
777 B
Review setTimeout for untrusted data
Summary
- Avoid use of untrusted data within
setTimeout
Description
Several DOM functions such as setTimeout and eval will execute a string parameter as code. If untrusted data (data from HTTP requests, user submitted files, etc.) is included in a setTimeout call it can allow an attacker to inject and execute their own code.
Recommendation
Edit the setTimeout call so that untrusted data is NOT included. If untrusted data is absolutely necessary a great deal of care should be taken to ensure it is properly escaped so that it cannot be executed. This is not as simple as just escaping quotes.