Cross-Site Scripting (XSS)
User-controlled input is rendered into HTML or JavaScript context without escaping, letting an attacker execute script in another user's browser.
GateTest coverage
Caught by: security, crossFileTaint
Example
<div dangerouslySetInnerHTML={{ __html: req.query.q }} /> in a React component.How to fix it
Escape on output. Use a templating engine that escapes by default (React, Jinja2, Razor). Add a strict CSP as defence in depth. GateTest's security and crossFileTaint modules catch the common patterns.
Scan your repo for CWE-79
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-79 (Cross-Site Scripting (XSS))?
User-controlled input is rendered into HTML or JavaScript context without escaping, letting an attacker execute script in another user's browser.
How do I fix cross-site scripting (xss)?
Escape on output. Use a templating engine that escapes by default (React, Jinja2, Razor). Add a strict CSP as defence in depth. GateTest's security and crossFileTaint modules catch the common patterns.
Does GateTest detect cross-site scripting (xss)?
Yes — GateTest's security, crossFileTaint modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Cross-Site Scripting (XSS) in the CWE Top 25?
Cross-Site Scripting (XSS) is ranked #2 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).