Summary
Detects cases where untrusted data from the DOM (URL, element values, storage, messages, etc.) flows into HTML/JS execution sinks (e.g., innerHTML, outerHTML, document.write, string-based setTimeout, insertAdjacentHTML) without proper sanitization or encoding \u2014 enabling DOM-based cross-site scripting.
Generated by OWASP PTK SAST Module
Solution
Prevent DOM-based XSS by never inserting untrusted strings directly into HTML or executing them as code. Prefer DOM/text APIs, safe templating, or a vetted sanitizer and apply context-aware encoding where needed. • Primary: Use textContent / innerText or create DOM nodes instead of string-based HTML insertion. If you must insert HTML, sanitize it with a vetted library such as DOMPurify. • Secondary: Apply context-sensitive encoding for attributes and JavaScript contexts, avoid eval/new Function/setTimeout with strings, and prefer safe templating engines. • Controls: Use Content Security Policy (CSP), follow least-privilege principles, and validate/allow-list input shapes where practical. • Testing: Add unit/browser tests for inline handlers and client-side flows that read from location, form inputs, storage, and postMessage.
Other Info
References
Code
src/ptk/background/sast/modules/modules.json