Injection

Web applications are mainly exposed to HTML and JavaScript code injection.

There are multiple entry points:

  • Some part of the URL,

  • Parameters,

  • Data coming from an "unsafe" API.

Third-party (user, partner etc...) data should not be trusted and never executed or used as an HTML template.

Never use eval().

Encode URI components

When constructing a URL, dynamic parts should be URI encoded.

const url = `https://api.wishtack.com/users/${encodeURIComponent(userId)}`;
PreviousSecurityNextDOM XSS

Last updated