Critiq Docs
Get started
security.output-encoding

Avoid unsafe raw HTTP response output

Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.

#Metadata

Rule ID
ts.security.unsanitized-http-response
Severity
high
Confidence
0.88
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
express, rules-catalog, security, xss

#Why it matters

Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.

#Remediation

Escape or sanitize the data with a trusted helper, or switch to a response format that does not treat it as executable markup.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.unsanitized-http-response.rule.yaml.

Back to registryOpen rule in repository