зеркало из https://github.com/microsoft/DevSkim.git
21 строка
933 B
Markdown
21 строка
933 B
Markdown
# Review eval for Untrusted Data
|
|
|
|
## Summary
|
|
|
|
|
|
|
|
### Details
|
|
|
|
If untrusted data is included in an eval statement it can allow an attacker to inject code into the application. Each usage of eval should be reviewed to ensure that no data generated outside of the application (from HTML requests, shared databases, etc.) can find its way into the eval statement
|
|
|
|
## Severity Considerations
|
|
|
|
An XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the victim's browser.
|
|
The attacker's code may be able to access sensitive information retained by the victim's browser.
|
|
XSS attacks can also rewrite page contents, redirect the victim's browser, and/or deliver malware to the victim's machine.
|
|
|
|
## References
|
|
|
|
* [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
|
|
* [OWASP XSS Attacks](https://owasp.org/www-community/attacks/xss/)
|