Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The application uses `dangerouslySetInnerHTML` which may lead to Cross Site Scripting (XSS). By default, React components will encode the data properly before rendering. Calling `dangerouslySetInnerHTML` disables this encoding and allows raw markup and JavaScript to be executed.
Examples
Insecure Code
typescript
<div dangerouslySetInnerHTML={{ __html: user_input }} />Secure Code
typescript
<div>{sanitize(user_input)}</div>Remediation
Remove the call to `dangerouslySetInnerHTML` or ensure that the data used in this call does not come from user-supplied input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0198 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cross-site Scripting |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |