Unsanitized user input in dynamic HTML insertion (XSS)

• Rule ID: javascript_lang_dangerous_insert_html
• Languages: javascript
• Source: dangerous_insert_html.yml

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediations

• Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.

  import sanitizeHtml from 'sanitize-html';
  
  const html = `<strong>${user.Input}</strong>`;
  document.body.innerHTML = sanitizeHtml(html);

References

• OWASP XSS explained

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_dangerous_insert_html

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_dangerous_insert_html