Hello Python developers,
We are proud to announce the availability of a rule detecting reflected XSS (Cross-Site Scripting) vulnerabilities in your Python code. This rule analyzes your Flask and Django controllers and determine if any user-tainted data can reach the template engine layer (Jinja2 or DTL) where the XSS can be exploited.
Here is an example of a detection on a Flask application:
This XSS rule (S5131) comes on top of the existing Security Hotspot S5247 that detects piece of code where the autoescape mechanism is disabled and invite to double-check if this was really intended.
If you want to fully benefit from this new detection, the template files (.html files) must be part of the scope of the analysis like this:
sonar.sources=path_to_your_python_files_dir, path_to_your_template_dir
sonar.inclusions=**/*.py,**/*.html
This feature is available on SonarCloud, and will be included in SonarQube Developer Edition+ 8.4.
Alex