Rust: Add qhelp for XSS query

paldepind · paldepind · commit 92808937392b · 2025-11-24T15:41:44.000+01:00
diff --git a/rust/ql/src/queries/security/CWE-079/XSS.qhelp b/rust/ql/src/queries/security/CWE-079/XSS.qhelp
@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Directly writing user input (for example, an HTTP request parameter) to a web
+page, without properly sanitizing the input first, allows for a cross-site
+scripting vulnerability.</p>
+</overview>
+
+<recommendation>
+<p>To guard against cross-site scripting, consider encoding/escaping the unstrusted
+input before including it in the HTML.</p>
+</recommendation>
+
+<example>
+
+<p>The following example shows a simple web handler that writes a path of the
+URL parameter directly to an HTML response, leaving the website vulnerable to
+cross-site scripting:</p>
+
+<sample src="XSSBad.rs" />
+
+<p>To fix this vulnerability, the user input should be HTML-encoded before being
+included in the response:</p>
+
+<sample src="XSSGood.rs" />
+
+</example>
+
+<references>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
+  (Cross Site Scripting) Prevention Cheat Sheet</a>.
+</li>
+<li>
+  WiMISSING: Alert[rust/xss]kipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+<li>
+  OWASP:
+  <a href="https://owasp.org/www-community/attacks/xss/">Cross-site Scripting (XSS)</a>.
+</li>
+</references>
+</qhelp>
diff --git a/rust/ql/src/queries/security/CWE-079/XSSBad.rs b/rust/ql/src/queries/security/CWE-079/XSSBad.rs
@@ -0,0 +1,21 @@
+use actix_web::{web, HttpResponse, Result};
+
+// BAD: User input is directly included in HTML response without sanitization
+async fn vulnerable_handler(path: web::Path<String>) -> impl Responder {
+    let user_input = path.into_inner();
+
+    let html = format!(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head><title>Welcome</title></head>
+        <body>
+            <h1>Hello, {}!</h1>
+        </body>
+        </html>
+        "#,
+        user_input
+    );
+
+    Html::new(html) // Unsafe: User input included directly in the response
+}
diff --git a/rust/ql/src/queries/security/CWE-079/XSSGood.rs b/rust/ql/src/queries/security/CWE-079/XSSGood.rs
@@ -0,0 +1,23 @@
+use actix_web::{web, HttpResponse, Result};
+use askama::Template;
+
+// GOOD: Manual HTML encoding using an `html_escape` function
+async fn safe_handler_with_encoding(path: web::Path<String>) -> impl Responder {
+    let user_input = path.into_inner();
+    let escaped_input = html_escape(&user_input);
+
+    let html = format!(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head><title>Welcome</title></head>
+        <body>
+            <h1>Hello, {}!</h1>
+        </body>
+        </html>
+        "#,
+        escaped_input
+    );
+
+    Html::new(html) // Safe: user input is HTML-encoded
+}
