Usage of manual HTML sanitization (XSS)

• Rule ID: javascript_lang_manual_html_sanitization
• Languages: javascript
• Source: manual_html_sanitization.yml

Description

Manually sanitizing HTML is prone to mistakes and can lead to Cross-Site Scripting (XSS) vulnerabilities. This occurs when user input is not properly sanitized, allowing attackers to inject malicious scripts into web pages viewed by other users.

Remediations

• Do not manually escape HTML to sanitize user input. This method is unreliable and can easily miss certain exploits.

  const sanitizedUserInput = user.Input
    .replaceAll('<', '&lt;')
    .replaceAll('>', '&gt;'); // unsafe
  const html = `<strong>${sanitizedUserInput}</strong>`;

• Do use a trusted HTML sanitization library to handle user input safely. Libraries designed for sanitization are more reliable as they cover a wide range of XSS attack vectors.

  import sanitizeHtml from 'sanitize-html';
  
  const html = sanitizeHtml(`<strong>${user.Input}</strong>`);

References

• OWASP XSS explained

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_manual_html_sanitization

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_manual_html_sanitization