CWE-116 Improper Encoding or Escaping of Output
What this means
SiteShadow flagged output that is not being encoded/escaped correctly for its context (HTML, attributes, JavaScript, URLs, SQL, shell). "Escape for the right context" is the key.
Why it matters
Improper encoding enables XSS and injection attacks.
- XSS when untrusted data is rendered into HTML/JS contexts.
- Header/URL injection when output is used in redirects or headers.
- Data corruption when the wrong encoding is applied (e.g., double-encoding).
Safer examples
1) Prefer templating/framework defaults (escape by default)
Avoid "raw HTML" rendering modes unless sanitized.
2) Use safe APIs (textContent vs innerHTML)
el.textContent = userInput; // safe for text
// el.innerHTML = userInput; // risky3) Use context-aware encoders/sanitizers
Use HTML escaping for HTML, URL encoding for URLs, and sanitizers for rich HTML.
How SiteShadow detects it (high level)
- Identifies common output sinks (HTML/DOM/templating, headers, redirects) and checks whether inputs appear untrusted.
- Detects use of "raw" output modes without escaping/sanitization nearby.
References
- CWE-116: https://cwe.mitre.org/data/definitions/116.html
---