Typescript Injection Of Untrusted Content
Description
Detects Express.js route handlers that inject unsanitized HTTP request data directly into HTML responses via res.send(). When user-controlled input from req.query, req.body, req.params, or req.headers is embedded in HTML without sanitization, attackers can inject malicious scripts that execute in victims' browsers.
Detection Strategy
• Identifies Express.js files via import of 'express'
• Locates res.send() calls whose argument contains HTML markup (tags matched via regex)
• Traces the HTML argument to determine if it contains user-supplied data from HTTP request properties (req.query, req.body, req.params, req.headers)
• Reports a vulnerability when unsanitized HTTP request data flows into an HTML string passed to res.send()
Vulnerable code example
import express, { Request, Response } from 'express';
const app = express();
app.use(express.json());
app.get('/vulnerable1', (req: Request, res: Response) => {
const userInput = req.query.name as string;
res.send("<h1>" + userInput + "</h1>");...✅ Secure code example
import express, { Request, Response } from 'express';
import sanitizeHtml from 'sanitize-html';
const app = express();
app.get('/secure1', (req: Request, res: Response) => {
const comment = req.query.comment as string;
const clean = sanitizeHtml(comment);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.