Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.
1function untrustedDeserializationNoncompliant() {
2 var script = document.createElement("script");
3 script.src = "https://example.com/script.js";
4 // Noncompliant: integrity is not checked.
5 document.head.appendChild(script);
6}
1function untrustedDeserializationCompliant() {
2 var script = document.createElement("script");
3 script.src = "https://example.com/script.js";
4 // Compliant: integrity is checked.
5 script.integrity =
6 "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
7 document.head.appendChild(script);
8}