Avoid raw HTML with request input | Critiq Docs

#Metadata

Rule ID: ts.security.raw-html-using-user-input
Severity: high
Confidence: 0.92
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: output-encoding, rules-catalog, security, xss

#Why it matters

Raw HTML construction with request data is a common path to reflected and stored XSS.

#Remediation

Use framework escaping, a trusted sanitizer, or safe DOM APIs instead of raw HTML interpolation.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml.

Back to registry Open rule in repository