Web applications are mainly exposed to HTML and JavaScript code injection.

There are multiple entry points:

  • Some part of the URL,

  • Parameters,

  • Data coming from an "unsafe" API.

Third-party (user, partner etc...) data should not be trusted and never executed or used as an HTML template.

Never use eval().

Encode URI components

When constructing a URL, dynamic parts should be URI encoded.

const url = `${encodeURIComponent(userId)}`;

Last updated