Unsanitized user input in React inner HTML method (XSS)

Overview

Rule ID: javascript_react_dangerously_set_inner_html
Applicable Languages: Javascript
Weakness ID: CWE-79

Description

Using React's dangerouslySetInnerHTML with unsanitized data can create Cross-Site Scripting (XSS) vulnerabilities. This happens when external input is directly embedded into the HTML without adequate sanitization, enabling attackers to inject malicious scripts.

Remediation Guidelines

Sanitize data before using it with dangerouslySetInnerHTML. This step is essential to prevent XSS attacks by ensuring that the input is free from malicious scripts.
```
<div dangerouslySetInnerHTML={{__html: sanitize(data)}} />
```

References

Configuration

PreviousUnsanitized user input in 'eval' type function NextUnsanitized user input in Access-Control-Allow-Origin

Last updated 8 months ago