Avoid manual sanitization of inputs
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: javascript-browser-security/manual-sanitization
Language: JavaScript
Severity: Warning
Category: Security
CWE: 79
Description
Never sanitize HTML input manually. It can lead to vulnerabilities. Use dedicated modules such as sanitize-html
to sanitize user inputs.
Non-Compliant Code Examples
const sanitizedInput = input
.replaceAll('<', '<')
.replaceAll('>', '>');
const html = `<strong>${sanitizedInput}</strong>`;
const sanitizedInput2 = input
.replaceAll('bla', '<')
.replaceAll('foo', '>');
const sanitizedInput3 = input
.replaceAll('<', '<')
.replaceAll('>', 'gt;');
Compliant Code Examples
import sanitizeHtml from 'sanitize-html';
const html = sanitizeHtml(`<strong>${input}</strong>`);
Seamless integrations. Try Datadog Code Analysis