Critiq Docs
Get started
security.output-encoding

Constrain `res.render()` trust boundaries

Express view names should not cross into server-side rendering from untrusted input.

#Metadata

Rule ID
ts.security.user-controlled-view-render
Severity
medium
Confidence
0.9
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
block
Tags
express, rendering, rules-catalog, security

#Why it matters

Untrusted template names can expose internal views, bypass intended route behavior, or widen a server-side template boundary.

#Remediation

Resolve the template from an allowlist or fixed route mapping before calling `res.render()`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.user-controlled-view-render.rule.yaml.

Back to registryOpen rule in repository