Javascript Injection Of Untrusted Content
Description
Detects Express.js route handlers that inject unsanitized HTTP request data directly into HTML responses via res.send(). When user-controlled input from req.query, req.body, req.params, req.headers, or req.cookies is embedded in HTML without sanitization, attackers can inject malicious scripts that execute in victims' browsers.
Detection Strategy
• Identifies Express.js files via require('express') import
• Locates res.send() calls whose argument contains HTML markup (tags matched via regex)
• Traces the HTML argument to determine if it contains user-supplied data from HTTP request properties (req.query, req.body, req.params, req.headers, req.cookies)
• Reports a vulnerability when unsanitized HTTP request data flows into an HTML string passed to res.send()
Vulnerable code example
const express = require('express');
const app = express();
app.get('/vulnerable1', (req, res) => {
const userInput = req.query.name;
res.send("<h1>" + userInput + "</h1>");
// Vulnerable: user input directly rendered into HTML
});...✅ Secure code example
const express = require('express');
const sanitizeHtml = require('sanitize-html');
const app = express();
app.get('/secure1', (req, res) => {
const comment = req.query.comment;
const clean = sanitizeHtml(comment);
res.send(`<div>${clean}</div>`);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.