SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-80 Basic Cross-Site Scripting

Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged output that may include untrusted data without proper encoding/escaping, allowing it to be interpreted as HTML or script in a browser.

Why it matters

XSS enables script execution in user browsers.

Safer examples

1) Use safe text APIs (DOM)

el.textContent = userInput; // safe
// el.innerHTML = userInput; // risky

2) Sanitize if you must render user-provided HTML

import DOMPurify from "dompurify";
el.innerHTML = DOMPurify.sanitize(userHtml);

3) Escape by default in templates

Use templating/framework defaults that escape output by default; avoid "raw HTML" escape hatches.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.