Avoid rendering resource based on unsanitized user input

Docs > Code Analysis > Static Analysis Rules > Avoid rendering resource based on unsanitized user input

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: typescript-express/external-resource

Language: TypeScript

Severity: Warning

Category: Security

CWE: 706

Description

Rendering resources based on unsanitized user input should be avoided. At a minimum, one should use a safelist to restrict the potential resources that are exposed.

Non-Compliant Code Examples

app.get("/", (req: Request, res: Response) => {
    res.render(req.body.path)
    res.render(req.cookies.path)
    res.render(req.headers.path)
    res.render(req.params.path)
    res.render(req.query.path)
})

Compliant Code Examples

app.get("/", (req: Request, res: Response) => {
    const path = req.body.path
    if (["posts", "pages"].includes(path)) {
        return res.render(`${path}/success`)
    }
    res.render("error-page")
})