Rendering of resources resolved from external name or reference detected.

Description

Using raw unsanitized input when rendering resources is bad practice.

Remediations

❌ Avoid passing user or request input to res.render() or require().

✅ Sanitize the input or use a safelist

Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
return res.render(`${path}/success`)
}

Associated CWE

OWASP Top 10