User-controllable input must be sanitized before it's included in output used to dynamically generate a web page. Unsanitized user input can introduce cross-side scripting (XSS) vulnerabilities that can lead to inadvertedly running malicious code in a trusted context.
1function crossSiteScriptingNoncompliant() {
2 let url = window.location.search.slice(1)
3 // Noncompliant: unsafe jQuery ajax request.
4 $.ajax({url: url, data: "Hello"})
5}
1const ESAPI = require('node-esapi')
2
3function crossSiteScriptingCompliant() {
4 let url = window.location.search.slice(1)
5 // Compliant: url is sanitized before ajax call.
6 url = ESAPI.encoder().encodeForURL(url)
7 $.ajax({url: url, data: "Hello"})
8}
1function nonCompliant(input) {
2 // Noncompliant: Unsanitized input is used.
3 const params = {href: input.a};
4 return React.createElement("a", params);
5}
1function compliant(input) {
2 // Compliant: Sanitized input is used.
3 const sanitizedHref = DOMPurify.sanitize(input.a);
4 const params = { href: sanitizedHref };
5 return React.createElement("a", params);
6}