Rendering of resources resolved from external name or reference detected.
- Rule ID: javascript_express_external_resource
- Languages: javascript
- Source: external_resource.yml
Description
Using raw unsanitized input when rendering resources is bad practice.
Remediations
❌ Avoid passing user or request input to res.render() or require().
✅ Sanitize the input or use a safelist
Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.
var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {
return res.render(`${path}/success`)
}