Unsanitized user input detected in raw HTML string.


Applications should not include unsanitized user input in HTML. This can allow cross-site scripting (XSS) attacks.


❌ Avoid including user input directly in HTML strings:

const html = `<h1>${req.params.title}</h1>`

✅ Use a framework or templating language to construct the HTML.

✅ When HTML strings must be used, sanitize user input:

import sanitizeHtml from 'sanitize-html'

const sanitizedTitle = sanitizeHtml(req.params.title)
const html = `<h1>${sanitizedTitle}</h1>`


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.