Metastatic.Analysis.BusinessLogic.XSSVulnerability (Metastatic v0.10.4)

View Source

Detects potential Cross-Site Scripting (XSS) vulnerabilities (CWE-79).

This analyzer identifies code patterns where user input is rendered in HTML output without proper escaping, which can lead to XSS attacks.

Cross-Language Applicability

XSS is a universal web vulnerability affecting all web frameworks:

  • Elixir/Phoenix: raw(user_input), {:safe, user_input}
  • Python/Django: mark_safe(user_input), |safe filter
  • Python/Flask: Markup(user_input), |safe filter
  • JavaScript/React: dangerouslySetInnerHTML={{__html: userInput}}
  • JavaScript/Vue: v-html="userInput"
  • JavaScript/Angular: [innerHTML]="userInput"
  • Ruby/Rails: raw(user_input), html_safe
  • PHP: Direct echo $user_input without htmlspecialchars
  • Java/JSP: <%= userInput %> without escaping

Problem

When user-controlled data is rendered in HTML without escaping:

  • Attackers can inject malicious JavaScript
  • Can steal session cookies and credentials
  • Can perform actions on behalf of users
  • Can deface websites or redirect users

Detection Strategy

Detects patterns where:

  1. raw(), mark_safe(), html_safe, or similar functions are used
  2. innerHTML, dangerouslySetInnerHTML, v-html patterns appear
  3. User input flows directly to HTML output without sanitization

Examples

Bad (Elixir/Phoenix)

def show(conn, %{"name" => name}) do
  html = "<h1>Hello, #{name}</h1>"
  render(conn, "page.html", content: raw(html))
end

Good (Elixir/Phoenix)

def show(conn, %{"name" => name}) do
  render(conn, "page.html", name: name)  # Auto-escaped in template
end

Bad (JavaScript/React)

function Welcome({name}) {
  return <div dangerouslySetInnerHTML={{__html: name}} />;
}

Good (JavaScript/React)

function Welcome({name}) {
  return <div>{name}</div>;  // Auto-escaped
}