| Details | |
|---|---|
| Alert ID | 220010-3 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 451 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-451 OWASP_2021_A05 OWASP_2025_A02 TOOL_PTK |
Summary
Detects untrusted DOM data being written into form metadata (formAction/target/method/value/placeholder), inline style surfaces (style/cssText/background*), document.title, history state, or createHTMLDocument — mutations that influence UI/navigation state without covering classic href/src/action sinks already handled elsewhere.
Generated by OWASP PTK SAST Module
Solution
• Validate or allow-list values before assigning them to form metadata, placeholders, or styles. Prefer safe DOM APIs (textContent, dataset) when representing user data. • Keep document.title and history.pushState/replaceState inputs confined to trusted sources; normalise or encode untrusted data first. • When creating HTML documents dynamically, ensure the template string is static or sanitised with vetted libraries such as DOMPurify.Other Info
References
- https://owasp.org/www-community/attacks/Content_Spoofing
- https://cwe.mitre.org/data/definitions/451.html