Metastatic.Analysis.BusinessLogic.InlineJavascript
(Metastatic v0.10.4)
View Source
Detects inline executable code in templates/strings (XSS/injection risk).
Universal pattern: embedding code directly in strings/templates without sanitization.
Examples
Python (Django template with unsafe JS):
html = f'<script>var userId = {user_id};</script>' # XSS risk - unescaped dataJavaScript (React with dangerouslySetInnerHTML):
return <div dangerouslySetInnerHTML={{__html: userContent}} />; # XSS vulnerabilityElixir (Phoenix template with raw JS):
~H"""
<script>
window.userId = <%= @user_id %>; # Should use Phoenix.HTML.Tag or json encode
</script>
"""C# (ASP.NET with Html.Raw):
@Html.Raw($"<script>var userId = {userId};</script>") # XSS riskGo (template with unescaped JS):
tmpl := template.Must(template.New("page").Parse(
`<script>var userId = {{.UserID}};</script>` # Should use JS escaping
))Java (JSP with script tag):
out.println("<script>var userId = " + userId + ";</script>"); # XSS vulnerabilityRuby (Rails with javascript_tag):
javascript_tag "var userId = " + user_id.to_s # Should use escape_javascriptPHP (inline script without escaping):
echo "<script>var userId = $userId;</script>"; # XSS risk - use htmlspecialchars