Unsanitized user input in dynamic HTML insertion (XSS)

Overview

Rule ID: javascript_lang_dangerous_insert_html
Applicable Languages: Javascript
Weakness ID: CWE-79

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability occurs when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediation Guidelines

Do use an HTML sanitization library to clean user input before inserting it into the HTML. This practice helps prevent XSS attacks by removing or neutralizing potentially harmful scripts.
```
import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in deserialization method NextUnsanitized user input in DynamoDB query

Last updated 1 month ago