[do-not-merge]: Quickstarts Internationalisation #10484
Conversation
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/u/2824157?s=60&v=4){kind=small}
| <% var i=0; _.forEach(connections, function(article) { %> | ||
| <% if (article.connection) { %> | ||
| <% if (article.public !== false) { %> | ||
| <a class="connection connection-public" href="<%- article.url %>"> |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link %>'. You may also consider setting the Content Security Policy (CSP) header.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by var-in-href.
You can view more details about this finding in the Semgrep AppSec Platform.
| <% var i=0; _.forEach(connections, function(article) { %> | ||
| <% if (article.connection) { %> | ||
| <% if (article.public !== false) { %> | ||
| <a class="connection connection-public" href="<%- article.url %>"> |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link %>'. You may also consider setting the Content Security Policy (CSP) header.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by var-in-href.
You can view more details about this finding in the Semgrep AppSec Platform.
harishsundar-okta
force-pushed
the
quickstart-internationalisation
branch
from
74a6465 to
e9e53e5
Compare
harishsundar-okta
force-pushed
the
quickstart-internationalisation
branch
from
e9e53e5 to
a7fa47d
Compare
No description provided.