CWE-80 Basic Cross-Site Scripting

What this means

SiteShadow flagged output that may include untrusted data without proper encoding/escaping, allowing it to be interpreted as HTML or script in a browser.

Why it matters

XSS enables script execution in user browsers.

• Account takeover by stealing session tokens or performing actions as the user.
• Data exfiltration from pages the user can access.
• UI manipulation (phishing inside your own domain).

Safer examples

1) Use safe text APIs (DOM)

el.textContent = userInput; // safe
// el.innerHTML = userInput; // risky

2) Sanitize if you must render user-provided HTML

import DOMPurify from "dompurify";
el.innerHTML = DOMPurify.sanitize(userHtml);

3) Escape by default in templates

Use templating/framework defaults that escape output by default; avoid "raw HTML" escape hatches.

How SiteShadow detects it (high level)

• Detects common XSS sinks (HTML/DOM/template rendering) and checks whether inputs are user-controlled.
• Recognizes sanitizers/escaping patterns to reduce false positives.

References

• CWE-80: https://cwe.mitre.org/data/definitions/80.html

---

← Back to Vulnerability Library