CriticalFile-scopeJavaScript / TypeScript Plug & play

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

Add to Mesrai Open workspace

Why this matters

Unsanitized inputs can lead to injection vulnerabilities, such as XSS or SQL injection, in cases where inputs are directly used in rendering or database queries.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

const userInput = '<script>alert("Hacked!")</script>';
document.innerHTML = userInput; // Vulnerable to XSS

Prefer

const userInput = '<script>alert("Hacked!")</script>';
const sanitizedInput = userInput.replace(/</g, '&lt;').replace(/>/g, '&gt;');
document.innerHTML = sanitizedInput; // Safe rendering

More snippets

Bad

const userInput = '<script>alert("Hacked!")</script>';
document.innerHTML = userInput; // Vulnerable to XSS

Good

const userInput = '<script>alert("Hacked!")</script>';
const sanitizedInput = userInput.replace(/</g, '&lt;').replace(/>/g, '&gt;');
document.innerHTML = sanitizedInput; // Safe rendering

Related rules

From the same buckets as this rule.

Critical
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
security-hardening
Critical
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
maintainabilitysecurity-hardening
Critical
Avoid unprotected HTTP request redirections
Check if HTTP request redirections are unvalidated. Allowing arbitrary redirections can expose users to phishing attacks. Recommend validating and restricting URLs.
security-hardening

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

const userInput = '<script>alert("Hacked!")</script>';
document.innerHTML = userInput; // Vulnerable to XSS

Prefer

const userInput = '<script>alert("Hacked!")</script>';
const sanitizedInput = userInput.replace(/</g, '&lt;').replace(/>/g, '&gt;');
document.innerHTML = sanitizedInput; // Safe rendering

More snippets

Bad

const userInput = '<script>alert("Hacked!")</script>';
document.innerHTML = userInput; // Vulnerable to XSS

Good

const userInput = '<script>alert("Hacked!")</script>';
const sanitizedInput = userInput.replace(/</g, '&lt;').replace(/>/g, '&gt;');
document.innerHTML = sanitizedInput; // Safe rendering

Related rules

From the same buckets as this rule.

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening

Critical

Avoid unprotected HTTP request redirections

Check if HTTP request redirections are unvalidated. Allowing arbitrary redirections can expose users to phishing attacks. Recommend validating and restricting URLs.

security-hardening