Skip to content
← Back to Vulnerability Database
HIGHCWE-116AI Security

OWASP LLM02 — Insecure Output Handling

Description

LLM-generated output is rendered without sanitization, potentially allowing XSS or code execution if the LLM produces malicious output.

How Vezraa Detects It

We check how your app renders LLM output — if it uses dangerouslySetInnerHTML or innerHTML on AI-generated content, we flag it.

Real-World Impact

A compromised or malicious LLM response can inject scripts into your page, leading to XSS in all users' browsers.

Fix Example

// BAD — render raw HTML
<div dangerouslySetInnerHTML={{ __html: aiResponse }} />

// GOOD — sanitize first
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(aiResponse) }} />

Affected Stacks

All LLM appsNext.jsReact

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

OWASP LLM02 — Insecure Output Handling — Vulnerability Database | Vezraa