mcp-server-semgrep
Version:
MCP Server for Semgrep Integration - static code analysis with AI
32 lines (31 loc) • 768 B
YAML
rules:
- id: insecure-innerhtml
message: >-
User controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
category: security
technology:
- browser
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
languages:
- javascript
- typescript
severity: ERROR
patterns:
- pattern: |
$EL.innerHTML = $HTML;
- pattern-not: |
$EL.innerHTML = "...";