mcp-server-semgrep/semgrep-rules/javascript/browser/security/insecure-document-method.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: insecure-document-method
  message: >-
    User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
    that can lead to XSS vulnerabilities
  metadata:
    cwe:
    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
    owasp:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection
    category: security
    technology:
    - browser
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
    references:
    - https://owasp.org/Top10/A03_2021-Injection
  languages:
  - javascript
  - typescript
  severity: ERROR
  patterns:
  - pattern-either:
    - pattern: |
        $EL.innerHTML = $HTML;
    - pattern: |
        $EL.outerHTML = $HTML;
    - pattern: document.write(...)
  - pattern-not: |
      $EL.innerHTML = "...";
  - pattern-not: |
      $EL.outerHTML = "...";
  - pattern-not: document.write("...")