Skip to content

[Cycode] Fix for SAST detections - Unsanitized user input in dynamic HTML insertion (XSS)#5

Open
cycode-security[bot] wants to merge 1 commit intomainfrom
main-cycode-fix-suggestion-7d159b
Open

[Cycode] Fix for SAST detections - Unsanitized user input in dynamic HTML insertion (XSS)#5
cycode-security[bot] wants to merge 1 commit intomainfrom
main-cycode-fix-suggestion-7d159b

Conversation

@cycode-security
Copy link

@cycode-security cycode-security bot commented Mar 20, 2026

[Cycode] Fix for SAST detections - Unsanitized user input in dynamic HTML insertion (XSS)

cycode-security[bot]
cycode-security bot commented Mar 20, 2026
View reviewed changes
src/main/resources/lessons/pathtraversal/js/path_traversal.js
document.getElementById("previewRetrieval").src = "data:image/png;base64," + result;
var base64String = "data:image/png;base64," + result;
var sanitizedBase64String = sanitizeHtml(base64String);
document.getElementById("previewRetrieval").src = sanitizedBase64String;
Copy link
Author

@cycode-security cycode-security bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized user input in dynamic HTML insertion (XSS)'.

Severity: High

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Cycode Remediation Guideline

✅ Do

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

📋 References

🎥 Learning materials (by Secure Code Warrior)

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security bot commented Mar 20, 2026
View reviewed changes
src/main/resources/lessons/pathtraversal/js/path_traversal.js
document.getElementById("randomCatPicture").src = "data:image/png;base64," + result;
var base64String = "data:image/png;base64," + result;
var sanitizedBase64String = sanitizeHtml(base64String);
document.getElementById("randomCatPicture").src = sanitizedBase64String;
Copy link
Author

@cycode-security cycode-security bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized user input in dynamic HTML insertion (XSS)'.

Severity: High

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Cycode Remediation Guideline

✅ Do

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

📋 References

🎥 Learning materials (by Secure Code Warrior)

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security bot commented Mar 20, 2026
View reviewed changes
src/main/resources/lessons/pathtraversal/js/path_traversal.js
document.getElementById("preview").src = "data:image/png;base64," + result;
var base64String = "data:image/png;base64," + result;
var sanitizedBase64String = sanitizeHtml(base64String);
document.getElementById("preview").src = sanitizedBase64String;
Copy link
Author

@cycode-security cycode-security bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized user input in dynamic HTML insertion (XSS)'.

Severity: High

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Cycode Remediation Guideline

✅ Do

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

📋 References

🎥 Learning materials (by Secure Code Warrior)

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security bot commented Mar 20, 2026
View reviewed changes
src/main/resources/lessons/pathtraversal/js/path_traversal.js
document.getElementById("previewRemoveUserInput").src = "data:image/png;base64," + result;
var base64String = "data:image/png;base64," + result;
var sanitizedBase64String = sanitizeHtml(base64String);
document.getElementById("previewRemoveUserInput").src = sanitizedBase64String;
Copy link
Author

@cycode-security cycode-security bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized user input in dynamic HTML insertion (XSS)'.

Severity: High

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Cycode Remediation Guideline

✅ Do

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

📋 References

🎥 Learning materials (by Secure Code Warrior)

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levine-cycode levine-cycode levine-cycode left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@levine-cycode