Cross-site scripting (XSS) via Express.js response.write() with user data

High Risk cross-site-scripting
javascriptexpressnodejsresponsexss

What it is

XSS vulnerability in Express.js applications where user-controlled data is directly written to the HTTP response using response.write() or response.end() without proper escaping, allowing script injection into the rendered page.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

User input from request parameters, body, or headers is directly written to the response without escaping.

Root causes

Direct User Input in Response

User input from request parameters, body, or headers is directly written to the response without escaping.

Manual HTML Generation

Building HTML responses manually using string concatenation with user data.

Bypassing Template Engine Safety

Using raw response methods instead of secure template engines that provide automatic escaping.

Fixes

1

Use Template Engines with Auto-Escaping

Use template engines like Handlebars, EJS, or Pug that provide automatic HTML escaping.

2

Manual HTML Escaping

If direct response writing is necessary, manually escape all user data using HTML escaping functions.

3

Return JSON Instead of HTML

For API endpoints, return JSON data instead of HTML to avoid XSS vulnerabilities.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) via express.js response.write() with user data and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities