Do not parse untrusted XML with permissive parsers | Critiq Docs

#Metadata

Rule ID: ts.security.xml-parse-string-with-untrusted-input
Severity: high
Confidence: 0.78
Languages: javascript, typescript
Presets: security, strict
Stability: stable
Applies to: block
Tags: deserialization, rules-catalog, security, xml

#Why it matters

Untrusted XML can enable XXE-style parser abuse depending on the underlying implementation and parser flags.

#Remediation

Disable external entities, validate payloads against a strict schema, and parse with a hardened XML configuration.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml.

Back to directory Open rule in repository