Unsanitized user input in React inner HTML method (XSS)

Overview

Rule ID: javascript_react_dangerously_set_inner_html
Applicable Languages: Javascript
Weakness ID: CWE-79

Description

Using React's dangerouslySetInnerHTML with unsanitized data can create Cross-Site Scripting (XSS) vulnerabilities. This happens when external input is directly embedded into the HTML without adequate sanitization, enabling attackers to inject malicious scripts.

Remediation Guidelines

Sanitize data before using it with dangerouslySetInnerHTML. This step is essential to prevent XSS attacks by ensuring that the input is free from malicious scripts.
```
<div dangerouslySetInnerHTML={{__html: sanitize(data)}} />
```

References

OWASP Cross-Site Scripting (XSS) Cheatsheet
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in 'eval' type function NextUnsanitized user input in Access-Control-Allow-Origin

Last updated 1 month ago