Usage of manual HTML sanitization (XSS)

Overview

• Rule ID: javascript_lang_manual_html_sanitization

• Applicable Languages: Javascriptscript

• Weakness ID: CWE-79

Description

Manually sanitizing HTML is error-prone and can result in Cross-Site Scripting (XSS) vulnerabilities. This happens when user input is not adequately sanitized, enabling attackers to inject malicious scripts into web pages that are viewed by other users.

Remediation Guidelines

• Avoid manually escaping HTML to sanitize user input, as this method is unreliable and may overlook certain exploits. For example, using:

  Copy

  const sanitizedUserInput = user.Input
    .replaceAll('<', '&lt;')
    .replaceAll('>', '&gt;'); // unsafe
  const html = `<strong>${sanitizedUserInput}</strong>`;
  
  

• Instead, use a trusted HTML sanitization library to handle user input safely. These libraries are designed to be more reliable and address a broad range of XSS attack vectors.

  Copy

  import sanitizeHtml from 'sanitize-html';
  
  const html = sanitizeHtml(`<strong>${user.Input}</strong>`);

References

• OWASP XSS explained

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL