Unsanitized user input in raw HTML strings (XSS)

Overview

Rule ID: javascript_lang_raw_html_using_user_input
Applicable Languages: Javascript
Weakness ID: CWE-79

Description

Embedding unsanitized user input in HTML makes your application vulnerable to cross-site scripting (XSS) attacks. This flaw permits attackers to insert harmful scripts into web pages accessed by other users.

Remediation Guidelines

Avoid embedding user input straight into HTML strings. Doing so can cause XSS vulnerabilities.
```
const html = <h1>${req.params.title}</h1> // insecure
```
Make sure to use a framework or templating language that automatically processes the encoding and sanitizing of user input while forming HTML. This method reduces the likelihood of XSS attacks.
Sanitize user input if directly using HTML strings is unavoidable. Use libraries intended for input sanitization to ensure user input is free of malicious content.
```
import sanitizeHtml from 'sanitize-html'

const sanitizedTitle = sanitizeHtml(req.params.title)
const html = `<h1>${sanitizedTitle}</h1>`
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized User input in OS command NextUnsanitized User input in Redirect HAPI

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration