Avoid rendering resource based on unsanitized user input このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: javascript-express/external-resource
Language: JavaScript
Severity: Warning
Category: Security
CWE : 706
Description Rendering resources based on unsanitized user input should be avoided. At a minimum, one should use a safelist to restrict the potential resources that are exposed.
Non-Compliant Code Examples app . get ( "/" , ( req , res ) => {
res . render ( req . body . path )
res . render ( req . cookies . path )
res . render ( req . headers . path )
res . render ( req . params . path )
res . render ( req . query . path )
})
Compliant Code Examples app . get ( "/" , ( req , res ) => {
const path = req . body . path
if ([ "posts" , "pages" ]. includes ( path )) {
return res . render ( ` ${ path } /success` )
}
res . render ( "error-page" )
})
Seamless integrations. Try Datadog Code Analysis