Unsanitized user input detected in raw HTML string.

Description

Applications should not include unsanitized user input in HTML. This can allow cross-site scripting (XSS) attacks.

Remediations

❌ Avoid including user input directly in HTML strings:

html = "<h1>#{params[:title]}</h1>"

✅ Use a templating language such as ERB, and place the template in a separate file.

✅ When HTML strings must be used, sanitize user input:

html = "<h1>#{strip_tags(params[:title])}</h1>"

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.