User controllable tag parameter

Description

This vulnerability occurs when user-supplied input is used to control attributes or content of sensitive HTML tags (such as <link>, <script>, <iframe>, or <a>) without proper validation or sanitization. When attackers can manipulate these tag parameters, they may be able to inject malicious content, redirect users to untrusted resources, or execute arbitrary JavaScript in the context of the application.

Remediation

Implement strict input validation and output encoding to prevent user input from controlling sensitive HTML tag parameters:

1. Use allowlists for validation: Only permit known-safe values for tag attributes. For example, if users can select from predefined options, validate against that specific list.

2. Apply context-appropriate output encoding: Encode user input based on where it appears in the HTML document. For attribute values, use HTML attribute encoding.

3. Avoid direct user control of sensitive attributes: Never allow user input to directly populate attributes like href, src, or data in sensitive tags without validation. Use indirect references (e.g., IDs mapped to safe URLs server-side).

4. Implement Content Security Policy (CSP): Deploy CSP headers to restrict which resources can be loaded, providing defense-in-depth against XSS.

Example (Java):

// Unsafe - direct user input in href
String userInput = request.getParameter("url");
out.println("<a href='" + userInput + "'>Click here</a>");

// Safe - validate against allowlist
Map<String, String> allowedUrls = new HashMap<>();
allowedUrls.put("home", "/home");
allowedUrls.put("profile", "/user/profile");

String urlKey = request.getParameter("page");
String safeUrl = allowedUrls.getOrDefault(urlKey, "/home");
out.println("<a href='" + Encode.forHtmlAttribute(safeUrl) + "'>Click here</a>");

References

Related Vulnerabilities