VC007A03:2021·CWE-79

XSS vulnerability

Cross-site scripting (XSS) via `dangerouslySetInnerHTML`, `innerHTML`, or unescaped HTML output. The classic browser exploit, still extremely common in 2026.

What this rule detects

VC007 looks for HTML output paths that bypass auto-escaping. In React: `dangerouslySetInnerHTML={{__html: ...}}` with a value that traces back to user input. In vanilla JS: `element.innerHTML = userInput`. In server-rendered templates: unescaped variable outputs.

Vulnerable vs. safe code

Vulnerable
// User content rendered as HTML — they can inject <script> tags.
function Comment({ comment }: { comment: { body: string } }) {
  return (
    <div
      className="comment"
      dangerouslySetInnerHTML={{ __html: comment.body }}
    />
  );
}
Safe
// Option 1: just render as text. React auto-escapes.
function Comment({ comment }: { comment: { body: string } }) {
  return <div className="comment">{comment.body}</div>;
}

// Option 2: if you genuinely need HTML, sanitize first with DOMPurify.
import DOMPurify from "isomorphic-dompurify";

function Comment({ comment }: { comment: { body: string } }) {
  const clean = DOMPurify.sanitize(comment.body);
  return (
    <div
      className="comment"
      dangerouslySetInnerHTML={{ __html: clean }}
    />
  );
}

About A03:2021Injection

Injection happens when user input is concatenated directly into SQL queries, shell commands, HTML, or any other interpreter. SQL injection has been #1 or #2 on the OWASP Top 10 since the list was created in 2003 — it's the oldest class of web bug that still ships every week.

Impact: SQL injection: attacker reads or modifies your entire database. Command injection: attacker runs arbitrary shell commands on your server. XSS: attacker steals session cookies and impersonates other users. Each one is typically a critical-severity finding.

How to fix it: Always use parameterized queries (prepared statements) for SQL. Never use template literals or string concatenation with user input in queries. For HTML output, use your framework's auto-escaping. For shell commands, use APIs that take an array of arguments instead of `exec()` with a string.

Common patterns in this category:

  • SQL queries built with string concatenation or template literals
  • `child_process.exec()` called with user input concatenated into the command
  • `dangerouslySetInnerHTML` with user-controlled data
  • `eval()` or `Function()` called with user input
  • `innerHTML` assignment without sanitization

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.1, CC7.1
ISO 27001
A.8.25, A.8.28
OWASP Top 10
A03:2021Injection
CWE
CWE-79

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC007 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A03:2021

← All security rules
VC007: XSS vulnerability | XploitScan Rules