Unsanitized user input in React inner HTML method (XSS)
- Rule ID: javascript_react_dangerously_set_inner_html
- Languages: javascript
- Source: dangerously_set_inner_html.yml
Description
There are Cross-Site Scripting (XSS) vulnerabilites when using React's dangerouslySetInnerHTML with unsanitized data.
Remediations
✅ Sanitize data when using dangerouslySetInnerHTML
<div
dangerouslySetInnerHTML={{__html: sanitize(data)}}
/>
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_react_dangerously_set_inner_html
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_react_dangerously_set_inner_html