CWE-79 Cross-Site Scripting

What this means

SiteShadow found a pattern where untrusted input may be rendered as HTML or script.

Why it matters

• Attackers can run arbitrary JavaScript in victims' browsers.
• This can steal sessions, perform actions as the user, or silently change what users see.

Safer examples

1) Escape by default, only allow HTML when necessary

Use templating systems that escape output by default, and avoid "raw" rendering modes.

2) Sanitize when rendering user-provided HTML

el.innerHTML = DOMPurify.sanitize(userHtml);

3) Add defense-in-depth with CSP

Use Content Security Policy to reduce impact if an XSS slips through.

How SiteShadow detects it (high level)

• Finds common XSS sinks and checks whether their inputs appear user-controlled.
• Applies context heuristics to avoid flagging safe patterns (escaped output/sanitizers).

References

• CWE-79: https://cwe.mitre.org/data/definitions/79.html

---

← Back to Vulnerability Library