no-improper-sanitization
Detects improper sanitization of user input
Keywords: improper sanitization, CWE-116, CWE-79, XSS, encoding, escaping, security
CWE: CWE-20
OWASP Mobile: M4: Insufficient Input/Output Validation
Detects improper sanitization of user input. This rule is part of eslint-plugin-secure-coding.
πΌ This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-116 (Improper Encoding), CWE-79 (XSS) |
| Severity | High (CVSS 7.5) |
| Auto-Fix | π‘ Suggestions available |
| Category | Security |
Value & investment case
Why this rule pays for itself. Framework:
cicd-impact/philosophy.md.
| Dimension | Value |
|---|---|
| CWE | CWE-79 β Cross-site Scripting (XSS) + CWE-116 (Improper Encoding) |
| Feedback-loop tier | Editor / pre-commit (sub-second) β cheapest layer per the feedback-loop hierarchy |
| Defensive-layer leverage | ~10Γ cheaper than unit-test Β· ~1,000Γ cheaper than production rollback Β· 10,000+Γ cheaper than customer disclosure (cost-ratio anchors) |
| Niche relevance | Critical: B2C, marketplaces, B2B SaaS (any frontend surface) Β· High: fintech (admin/back-office UI), healthtech (patient portals) Β· Medium: infra/devtools |
| Investor-frame impact | XSS is the most-cited OWASP Top-10 issue. Session hijacking β user-data exposure β mandatory disclosure. For B2C orgs, an XSS incident is a brand event with churn impact; for B2B, it's an enterprise-customer disclosure cycle. |
Read also: philosophy.md Β§investor-frame Β· niche-presets.json Β· analyzer-evaluation-framework.md
Vulnerability and Risk
Vulnerability: Improper sanitization occurs when user input is treated as safe without removing or encoding potentially dangerous characters (like HTML tags or script injection vectors) before using it in a sensitive context (like rendering in a browser or executing as code).
Risk: This leads to Cross-Site Scripting (XSS), where attackers can inject malicious scripts to steal sessions, redirect users, or deface websites. It can also lead to other injection attacks depending on the context (e.g., SQL injection, Command injection).
Rule Details
Improper sanitization occurs when user input is not properly cleaned before use in sensitive contexts. This can lead to:
- Cross-site scripting (XSS) attacks
- SQL/NoSQL injection
- Command injection
- Header injection
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| π XSS | Session hijacking | Use context-aware encoding |
| π Injection | Data breach | Use proper escaping functions |
| π Bypass | Security control evasion | Defense in depth |
Examples
β Incorrect
element.innerHTML = userInput.replace(/</g, "<");β Correct
// Use DOMPurify for HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
// Context-aware encoding
import { encodeForHTML, encodeForJavaScript } from 'safe-encoder';
const htmlSafe = encodeForHTML(userInput);
const jsSafe = encodeForJavaScript(userInput);
// Use proper escaping libraries
import { escape } from 'html-escaper';
const safeHtml = escape(userInput);
// Use parameterized queries (not string escaping)
db.query('SELECT * FROM users WHERE name = ?', [userInput]);Configuration
{
rules: {
'secure-coding/no-improper-sanitization': ['error', {
safeSanitizers: ['DOMPurify.sanitize', 'escape', 'encodeForHTML'],
dangerousChars: ['<', '>', '"', "'", '&'],
trustedLibraries: ['dompurify', 'html-escaper', 'xss']
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
safeSanitizers | string[] | ['DOMPurify.sanitize'] | Safe sanitization functions |
dangerousChars | string[] | ['<', '>', '"', "'"] | Characters that should be escaped |
contexts | string[] | ['html', 'js', 'url', 'css'] | Encoding contexts to check |
trustedLibraries | string[] | ['dompurify'] | Trusted sanitization libraries |
Error Message Format
π CWE-116 OWASP:A03-Injection CVSS:7.5 | Improper Sanitization | HIGH [SOC2,PCI-DSS]
Fix: Use DOMPurify.sanitize() or context-aware encoding | https://cwe.mitre.org/...Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// β NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// β NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// β NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP XSS Prevention - XSS prevention cheat sheet
- CWE-116 - Improper encoding
- DOMPurify - HTML sanitization library
Related Rules
no-unsanitized-html- XSS via innerHTMLno-unescaped-url-parameter- URL parameter injection