Web applications are mainly exposed to HTML and JavaScript code injection.
There are multiple entry points:
Some part of the URL,
Parameters,
Data coming from an "unsafe" API.
Third-party (user, partner etc...) data should not be trusted and never executed or used as an HTML template.
Never use eval().
eval().
When constructing a URL, dynamic parts should be URI encoded.
const url = `https://api.wishtack.com/users/${encodeURIComponent(userId)}`;
Last updated 7 years ago
