SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

X01 XSS Risk

What this means

SiteShadow flagged code where untrusted input appears to flow into HTML/DOM sinks (places that can interpret it as markup or script).

Why it matters

Safer examples

1) Use text APIs, not HTML APIs (DOM)

// Good
el.textContent = userInput;

// Risky
// el.innerHTML = userInput;

2) If you must render HTML, sanitize with a well-known library

import DOMPurify from "dompurify";

el.innerHTML = DOMPurify.sanitize(userHtml);

3) Prefer frameworks' safe templating defaults

Most templating systems escape by default. Avoid "raw HTML" escape hatches unless you sanitize.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.