ProductsBook A DemoContact Us

Unsanitized user input in dynamic HTML insertion (XSS)

Overview

  • Rule ID: javascript_lang_dangerous_insert_html

  • Applicable Languages: Javascript

  • Weakness ID: CWE-79

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability occurs when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediation Guidelines

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This practice helps prevent XSS attacks by removing or neutralizing potentially harmful scripts.

    import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in deserialization methodNextUnsanitized user input in DynamoDB query

Last updated