# Unsanitized user input in React inner HTML method (XSS)

## Overview

* **Rule ID**: `javascript_react_dangerously_set_inner_html`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-79

## Description

Using React's `dangerouslySetInnerHTML` with unsanitized data can create Cross-Site Scripting (XSS) vulnerabilities. This happens when external input is directly embedded into the HTML without adequate sanitization, enabling attackers to inject malicious scripts.

## Remediation Guidelines

* **Sanitize** data before using it with `dangerouslySetInnerHTML`. This step is essential to prevent XSS attacks by ensuring that the input is free from malicious scripts.

  ```javascript
  <div dangerouslySetInnerHTML={{__html: sanitize(data)}} />

  ```

## References

* [**OWASP Cross-Site Scripting (XSS) Cheatsheet**](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
* [**CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**](https://cwe.mitre.org/data/definitions/79.html)
* [**OWASP Top 10: A03:2021 - Injection**](https://owasp.org/Top10/A03_2021-Injection/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)