Rendering of resources resolved from external name or reference detected.


Using raw unsanitized input when rendering resources is bad practice.


❌ Avoid passing user or request input to res.render() or require().

✅ Sanitize the input or use a safelist

Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
return res.render(`${path}/success`)

Associated CWE

OWASP Top 10