X01 XSS Risk

What this means

SiteShadow flagged code where untrusted input appears to flow into HTML/DOM sinks (places that can interpret it as markup or script).

Why it matters

• Account takeover: session tokens can be stolen.
• Data theft: attackers can read/modify UI state and exfiltrate data.
• Supply-chain style impact: one XSS can affect every user who loads the page.

Safer examples

1) Use text APIs, not HTML APIs (DOM)

// Good
el.textContent = userInput;

// Risky
// el.innerHTML = userInput;

2) If you must render HTML, sanitize with a well-known library

import DOMPurify from "dompurify";

el.innerHTML = DOMPurify.sanitize(userHtml);

3) Prefer frameworks' safe templating defaults

Most templating systems escape by default. Avoid "raw HTML" escape hatches unless you sanitize.

How SiteShadow detects it (high level)

• Looks for DOM sinks (innerHTML, dangerouslySetInnerHTML, v-html, document.write, jQuery .html()).
• Checks whether the value appears user-controlled (request/query/body, URL fragments, untrusted data).
• Attempts to recognize common sanitizers/escaping patterns to reduce false positives.

References

• CWE-79: https://cwe.mitre.org/data/definitions/79.html
• OWASP XSS: https://owasp.org/www-community/attacks/xss/

---

← Back to Vulnerability Library