Skip to content
← Back to Vulnerability Database
HIGHCWE-79Injection

XSS via DOM Manipulation

Description

User-controlled data is inserted into the DOM using innerHTML, dangerouslySetInnerHTML, or v-html without sanitization.

How Vezraa Detects It

We scan your app for client-side rendering patterns that use dangerous HTML injection methods with user-controlled data.

Real-World Impact

Attackers can execute arbitrary JavaScript in other users' browsers, stealing sessions, redirecting to phishing pages, or defacing content.

Fix Example

// BAD — dangerous HTML injection
<div dangerouslySetInnerHTML={{ __html: userInput }} />

// GOOD — use text content
<div>{userInput}</div>

Affected Stacks

ReactVueAngularVanilla JS

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

XSS via DOM Manipulation — Vulnerability Database | Vezraa