no-improper-sanitization
Detects improper sanitization of user input. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).
Keywords: improper sanitization, CWE-116, CWE-79, XSS, encoding, escaping, security
Detects improper sanitization of user input. This rule is part of eslint-plugin-secure-coding.
💼 This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-116 (Improper Encoding), CWE-79 (XSS) |
| Severity | High (CVSS 7.5) |
| Auto-Fix | 💡 Suggestions available |
| Category | Input Validation & XSS |
Vulnerability and Risk
Vulnerability: Improper sanitization occurs when user input is treated as safe without removing or encoding potentially dangerous characters (like HTML tags or script injection vectors) before using it in a sensitive context (like rendering in a browser or executing as code).
Risk: This leads to Cross-Site Scripting (XSS), where attackers can inject malicious scripts to steal sessions, redirect users, or deface websites. It can also lead to other injection attacks depending on the context (e.g., SQL injection, Command injection).
Rule Details
Improper sanitization occurs when user input is not properly cleaned before use in sensitive contexts. This can lead to:
- Cross-site scripting (XSS) attacks
- SQL/NoSQL injection
- Command injection
- Header injection
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🎭 XSS | Session hijacking | Use context-aware encoding |
| 💉 Injection | Data breach | Use proper escaping functions |
| 🔓 Bypass | Security control evasion | Defense in depth |
Examples
❌ Incorrect
// Incomplete HTML escaping
const sanitized = input.replace('<', '<');
element.innerHTML = sanitized; // Missing '>' escaping!
// Wrong context encoding
const jsValue = htmlEscape(userInput);
const script = `var x = "${jsValue}"`; // HTML escape in JS context!
// Using replace() for sanitization
const clean = userInput.replace(/[<>]/g, '');
// Bypassable with: <img onerror=alert(1) src=x>
// Incomplete SQL sanitization
const query = `SELECT * FROM users WHERE name = '${input.replace("'", "''")}'`;
// Doesn't handle all edge cases✅ Correct
// Use DOMPurify for HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
// Context-aware encoding
import { encodeForHTML, encodeForJavaScript } from 'safe-encoder';
const htmlSafe = encodeForHTML(userInput);
const jsSafe = encodeForJavaScript(userInput);
// Use proper escaping libraries
import { escape } from 'html-escaper';
const safeHtml = escape(userInput);
// Use parameterized queries (not string escaping)
db.query('SELECT * FROM users WHERE name = ?', [userInput]);Configuration
{
rules: {
'secure-coding/no-improper-sanitization': ['error', {
safeSanitizers: ['DOMPurify.sanitize', 'escape', 'encodeForHTML'],
dangerousChars: ['<', '>', '"', "'", '&'],
trustedLibraries: ['dompurify', 'html-escaper', 'xss']
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
safeSanitizers | string[] | ['DOMPurify.sanitize'] | Safe sanitization functions |
dangerousChars | string[] | ['<', '>', '"', "'"] | Characters that should be escaped |
contexts | string[] | ['html', 'js', 'url', 'css'] | Encoding contexts to check |
trustedLibraries | string[] | ['dompurify'] | Trusted sanitization libraries |
Error Message Format
🔒 CWE-116 OWASP:A03-Injection CVSS:7.5 | Improper Sanitization | HIGH [SOC2,PCI-DSS]
Fix: Use DOMPurify.sanitize() or context-aware encoding | https://cwe.mitre.org/...Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP XSS Prevention - XSS prevention cheat sheet
- CWE-116 - Improper encoding
- DOMPurify - HTML sanitization library
Related Rules
no-unsanitized-html- XSS via innerHTMLno-unescaped-url-parameter- URL parameter injection