Critiq Docs
Get started
security.input-validation

Avoid request-controlled format strings

Logging and formatting helpers should not take request input as the format string itself.

#Metadata

Rule ID
ts.security.format-string-using-user-input
Severity
high
Confidence
0.88
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
input-validation, logging, rules-catalog, security

#Why it matters

Request-controlled format strings can corrupt logs, leak structure, or produce unexpected formatting behavior.

#Remediation

Keep the format string fixed and pass request data as ordinary arguments or structured fields.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.format-string-using-user-input.rule.yaml.

Back to registryOpen rule in repository