Avoid manual sanitization of inputs

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid manual sanitization of inputs

Metadata

ID: javascript-browser-security/manual-sanitization

Language: JavaScript

Severity: Warning

Category: Security

CWE: 79

Description

Never sanitize HTML input manually. It can lead to vulnerabilities. Use dedicated modules such as sanitize-html to sanitize user inputs.

Non-Compliant Code Examples

const sanitizedInput = input   .replaceAll('<', '&lt;')   .replaceAll('>', '&gt;'); const html = `<strong>${sanitizedInput}</strong>`;  const sanitizedInput2 = input   .replaceAll('bla', '&lt;')   .replaceAll('foo', '&gt;');  const sanitizedInput3 = input   .replaceAll('<', '&lt')   .replaceAll('>', 'gt;');

Compliant Code Examples

import sanitizeHtml from 'sanitize-html';  const html = sanitizeHtml(`<strong>${input}</strong>`);