CRITICAL
Rule Definition
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Remediation
Ensure you don't write dynamic code in a DOM callback event such as onmouseover
Violation Code Sample
<div onmouseover="alert(@Model.UserMessage);"> MOUSE OVER ME !!1</div> // VIOLATION
<div onmouseover="alert('@Model.UserMessage');"> MOUSE OVER ME !!2</div> // VIOLATION
<div onmouseover="let msg = @Model.UserMessage"> MOUSE OVER ME !!3</div> // VIOLATION
Fixed Code Sample
<div onmouseover="alert(hello);"> MOUSE OVER ME !!1</div> // NO VIOLATION
<div onmouseover="alert('hello');"> MOUSE OVER ME !!2</div> // NO VIOLATION
<div onmouseover="let msg = hello"> MOUSE OVER ME !!3</div> // NO VIOLATION
Reference
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
https://cwe.mitre.org/data/definitions/83.html
OWASP Cheat Sheet Series - DOM based XSS Prevention
RULE #3 - Be Careful when Inserting Untrusted Data into the Event Handler and JavaScript code Subcontexts within an Execution Context
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html#rule-3-be-careful-when-inserting-untrusted-data-into-the-event-handler-and-javascript-code-subcontexts-within-an-execution-context
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.