SiteShadow
Back to vulnerability library
Detected bySecure-coding-practice checks (SCP)Pro

SCP02 Output Encoding

What this means

SiteShadow flagged output being rendered without context-appropriate encoding/escaping. This often becomes cross-site scripting (XSS) or content injection when untrusted data is placed into HTML, attributes, URLs, or JavaScript contexts.

Why it matters

Missing output encoding leads to XSS and injection in rendered views.

Safer examples

1) Prefer safe text APIs in the DOM

el.textContent = userInput; // safe
// el.innerHTML = userInput; // risky

2) Avoid "raw HTML" escape hatches in templates

Most frameworks escape by default, don't disable it unless you fully control the content.

3) Sanitize only when you must render user HTML

import DOMPurify from "dompurify";

el.innerHTML = DOMPurify.sanitize(userHtml);

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.