SCP02 Output Encoding

What this means

SiteShadow flagged output being rendered without context-appropriate encoding/escaping. This often becomes cross-site scripting (XSS) or content injection when untrusted data is placed into HTML, attributes, URLs, or JavaScript contexts.

Why it matters

Missing output encoding leads to XSS and injection in rendered views.

Account takeover by running attacker scripts in a victim's browser.
Data exfiltration from pages the victim can access.
UI manipulation and phishing inside your own domain.

Safer examples

1) Prefer safe text APIs in the DOM

el.textContent = userInput; // safe
// el.innerHTML = userInput; // risky

2) Avoid "raw HTML" escape hatches in templates

Most frameworks escape by default—don't disable it unless you fully control the content.

3) Sanitize only when you must render user HTML

import DOMPurify from "dompurify";

el.innerHTML = DOMPurify.sanitize(userHtml);

How SiteShadow detects it (high level)

Detects common rendering sinks (HTML/DOM/template output) and whether they receive untrusted input.
Recognizes common escaping/sanitization patterns to reduce false positives.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage