CWE-79 Cross-Site Scripting
Coverage: 77 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 64Other-pattern 13 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow found a pattern where untrusted input may be rendered as HTML or script.
Why it matters
- Attackers can run arbitrary JavaScript in victims' browsers.
- This can steal sessions, perform actions as the user, or silently change what users see.
Safer examples
1) Escape by default, only allow HTML when necessary
Use templating systems that escape output by default, and avoid "raw" rendering modes.
2) Sanitize when rendering user-provided HTML
el.innerHTML = DOMPurify.sanitize(userHtml);
3) Add defense-in-depth with CSP
Use Content Security Policy to reduce impact if an XSS slips through.
How SiteShadow detects it (high level)
- Finds common XSS sinks and checks whether their inputs appear user-controlled.
- Applies context heuristics to avoid flagging safe patterns (escaped output/sanitizers).
References
- CWE-79: https://cwe.mitre.org/data/definitions/79.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.