CWE-79HighMITRE entry

Cross-site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

What it is

CWE-79 covers all variants of cross-site scripting: reflected, stored, and DOM-based. The weakness exists when a web application embeds user-controlled input into a page without proper neutralization. An attacker who controls the input can inject script that executes in the victim's browser session.

Why it matters

XSS remains in the OWASP Top 10 and the CWE Top 25 across every revision since 2007. Successful exploitation lets an attacker steal session cookies, log keystrokes, render fake login forms inside a trusted origin, and pivot toward CSRF and account takeover. Modern frameworks (React, Angular, Vue) escape by default, but XSS resurfaces whenever developers reach for dangerouslySetInnerHTML, v-html, or [innerHTML] without sanitization.

Common patterns

  • Rendering req.query.q directly into HTML without escaping.
  • Using dangerouslySetInnerHTML in React with un-sanitized content from a CMS or user post.
  • Concatenating user input into template strings that drive innerHTML or document.write.
  • Reflecting headers, cookies, or URL fragments into the DOM after a navigation event.
  • Stored XSS via comment systems, profile bios, or chat messages that render Markdown without an allowlist.

Languages affected

JavaScriptTypeScriptPythonRubyJavaGoPHP

What Deva detects

Deva's taint-mode rules track data from user-controlled sources (req.query, req.body, req.params, message bodies, file uploads) through to DOM sinks (innerHTML, dangerouslySetInnerHTML, document.write, jQuery .html()). The scanner reports DEFINITE when input reaches a sink without passing through a recognized sanitizer (DOMPurify, sanitize-html, escape-html), LIKELY when a sanitizer is present but may be misconfigured, and PROBABLY_FP when the input source is confirmed-safe (constants, escaped output from a templating engine).

Example

Vulnerable

app.get('/search', (req, res) => {
  res.send(`<h1>Results for: ${req.query.q}</h1>`)
})

Fixed

import escapeHtml from 'escape-html'

app.get('/search', (req, res) => {
  res.send(`<h1>Results for: ${escapeHtml(req.query.q)}</h1>`)
})

Explanation

The vulnerable version reflects req.query.q directly into HTML. An attacker requesting /search?q=<script>alert(document.cookie)</script> executes script in the victim's session. The fix runs the input through escape-html before reflection. For richer HTML allowed in user content (Markdown comments, rich bios), use DOMPurify or sanitize-html with a strict allowlist.

Where this fits in OWASP Top 10

A03
Injection
Untrusted input interpreted as code or commands by a downstream interpreter.

Compliance framework mapping

FrameworkControls
OWASP Top 10 (2021)
A03:2021 Injection
NIST 800-53 Rev 5
SI-10 Information Input Validation
PCI-DSS v4.0
6.2.4 Software engineering techniques
HIPAA Security Rule
164.312(c)(1) Integrity controls

Related CWEs

CWE-80Basic XSS variant focused on simple injection.
CWE-116Improper encoding or escaping of output: the broader category XSS falls under.
CWE-20Improper input validation: the upstream cause of most XSS bugs.

Deva detects CWE-79 alongside 970+ other CWE patterns at write time, with AI-assisted fix generation that maintains compliance.

Try DevaBack to CWE index