mcp-server-semgrep/semgrep-rules/javascript/audit/detect-replaceall-sanitization.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: detect-replaceall-sanitization
  message: >-
    Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`.
    Manually sanitizing input through a manually built list can be circumvented
    in many situations, and it's better to use a well known sanitization library
    such as `sanitize-html` or `DOMPurify`.
  metadata:
    category: security
    technology:
    - javascript
    - typescript
    owasp:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection
    cwe:
    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
    references:
    - https://www.npmjs.com/package/dompurify
    - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  languages:
  - javascript
  - typescript
  severity: INFO
  patterns:
  - pattern-either:
    - pattern: $STR.$FUNC('<', '&lt;')
    - pattern: $STR.$FUNC('>', '&gt;')
    - pattern: $STR.$FUNC('"', '&quot;')
    - pattern: $STR.$FUNC("'", '&apos;')
    - pattern: $STR.$FUNC('&', '&amp;')
  - metavariable-regex:
      metavariable: $FUNC
      regex: (replace|replaceAll)