Unsanitized user input in raw HTML strings (XSS)

Overview

• Rule ID: javascript_lang_raw_html_using_user_input

• Applicable Languages: Javascript

• Weakness ID: CWE-79

Description

Embedding unsanitized user input in HTML makes your application vulnerable to cross-site scripting (XSS) attacks. This flaw permits attackers to insert harmful scripts into web pages accessed by other users.

Remediation Guidelines

• Avoid embedding user input straight into HTML strings. Doing so can cause XSS vulnerabilities.

  Copy

  const html = <h1>${req.params.title}</h1> // insecure
  

• Make sure to use a framework or templating language that automatically processes the encoding and sanitizing of user input while forming HTML. This method reduces the likelihood of XSS attacks.

• Sanitize user input if directly using HTML strings is unavoidable. Use libraries intended for input sanitization to ensure user input is free of malicious content.

  Copy

  import sanitizeHtml from 'sanitize-html'
  
  const sanitizedTitle = sanitizeHtml(req.params.title)
  const html = `<h1>${sanitizedTitle}</h1>`

References

• OWASP Cross-Site Scripting (XSS) Cheatsheet

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL