If a user can control the executed code or HTML, a malicious user can send a crafted URL to a victim and control the executed code.

Vulnerable code examples

const firstName = document.querySelector('input[name="firstName"]').value;
document.querySelector('.wt-first-name').innerHTML = firstName;

ECMAScript Template String

ECMAScript template strings should not be used for HTML templating.

element.innerHTML = `<div>Hi, ${firstName}</div>`;

Where firstName might be controlled by a malicious user.

Except the application's code, every external source should be considered harmful.

User your frameworks escaping features.

Last updated