logo

Database

Javascript Unsafe Setcontent User Input

Description

Detects potential JavaScript code injection vulnerabilities in web applications using Playwright automation framework. When untrusted user input flows into Playwright's setContent() method without proper sanitization, it can lead to Cross-Site Scripting (XSS) attacks since the content is rendered as HTML that may contain malicious JavaScript.

Weakness:

100 - Server-side request forgery (SSRF)

Category: Deceptive Interactions

Detection Strategy

    Look for usage of Playwright's setContent() method in code

    Check if the content parameter passed to setContent() contains or is derived from user input

    Flag as vulnerable if user input flows to setContent() without proper HTML escaping or sanitization

    Consider the input source - parameters, form fields, URL parameters, etc. that could contain malicious JavaScript

Vulnerable code example

const { chromium } = require('playwright');

async function renderUnsafeContent(req, res) {
  const html = req.query.html; // Unsanitized user input directly used in page content
  const browser = await chromium.launch();
  const page = await browser.newPage();
  await page.setContent(html);  // Vulnerable: Allows arbitrary HTML/JS injection
  await browser.close();...

✅ Secure code example

const { chromium } = require('playwright');
const DOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');

async function renderSafeContent(req, res) {
  // Create DOMPurify instance with JSDOM to sanitize HTML in Node.js
  const window = new JSDOM('').window;
  const purify = DOMPurify(window);...