HIGHCWE-79Injection
XSS via DOM Manipulation
Description
User-controlled data is inserted into the DOM using innerHTML, dangerouslySetInnerHTML, or v-html without sanitization.
How Vezraa Detects It
We scan your app for client-side rendering patterns that use dangerous HTML injection methods with user-controlled data.
Real-World Impact
Attackers can execute arbitrary JavaScript in other users' browsers, stealing sessions, redirecting to phishing pages, or defacing content.
Fix Example
// BAD — dangerous HTML injection
<div dangerouslySetInnerHTML={{ __html: userInput }} />
// GOOD — use text content
<div>{userInput}</div>Affected Stacks
ReactVueAngularVanilla JS