Cross-Site Scripting (XSS) via Unvalidated User Input

Description

This application accepts user input directly from the client side without validation, which could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output.

Examples

Insecure Code

javascript

router.get('/unsafe', (req, res) => { res.send(req.query.name); })

Secure Code

javascript

router.get('/safe', (req, res) => { var name = encodeURI(req.query.name); res.send(name); })

Remediation

Encode input data before sending it to the client side using functions like encodeURI() or encodeURIComponent().

Rule Details

Field	Value
ID	CODE-0427
Category	Web
Severity	MEDIUM
CWE	CWE-79
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XSS, Cross-Site Scripting
OWASP	A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via Unvalidated User Input

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via Unvalidated User Input ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Cross-Site Scripting (XSS) via Unvalidated User Input

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details