Usage of manual HTML sanitization (XSS)

Overview

Rule ID: javascript_lang_manual_html_sanitization
Applicable Languages: Javascriptscript
Weakness ID: CWE-79

Description

Manually sanitizing HTML is error-prone and can result in Cross-Site Scripting (XSS) vulnerabilities. This happens when user input is not adequately sanitized, enabling attackers to inject malicious scripts into web pages that are viewed by other users.

Remediation Guidelines

Avoid manually escaping HTML to sanitize user input, as this method is unreliable and may overlook certain exploits. For example, using:

const sanitizedUserInput = user.Input
  .replaceAll('<', '&lt;')
  .replaceAll('>', '&gt;'); // unsafe
const html = `<strong>${sanitizedUserInput}</strong>`;

Instead, use a trusted HTML sanitization library to handle user input safely. These libraries are designed to be more reliable and address a broad range of XSS attack vectors.
```
import sanitizeHtml from 'sanitize-html';

const html = sanitizeHtml(`<strong>${user.Input}</strong>`);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUsage of insufficient random value NextUsage of Session on Static Asset (CSRF)

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration