Cross-Site Scripting (XSS) via serialize-javascript

Description

The application is serializing Javascript objects with vulnerable configurations by setting `{unsafe: true}` in serialize-javascript, which could lead to Cross Site Scripting (XSS) if the input was malicious script code and the application server is not properly validating the output.

Examples

Insecure Code

javascript

const serialize = require('serialize-javascript');
const jsObj = serialize({ foo: htmlResponse }, { unsafe: true });

Secure Code

javascript

const serialize = require('serialize-javascript');
const jsObj = serialize({ foo: htmlResponse });

Remediation

Use serialize-javascript with default settings or set `{unsafe: false}` to encode input data.

Rule Details

Field	Value
ID	CODE-0432
Category	Injection
Severity	MEDIUM
CWE	CWE-80
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XSS, serialize-javascript
OWASP	A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via serialize-javascript

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Cross-Site Scripting (XSS) via serialize-javascript ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Cross-Site Scripting (XSS) via serialize-javascript

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details