New
Introducing React Bench, see how different models perform on React code

react-doctor/unsafe-json-in-html

Unescaped JSON in HTML or script sink

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always
  • Tags: security-scan
  • Default: Enabled

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Unescaped JSON in HTML or script sink. Check the framework context and diagnostic message before suppressing it.

Fix prompt

Use this once validation confirms the diagnostic is real.

JSON.stringify does not HTML-escape, so a </script> (or <) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape <, >, and &, or pass data via a JSON <script type="application/json"> read with JSON.parse.

More Security rules from the rules reference:

  • react-doctor/untrusted-redirect-following: Following a redirect from a request-supplied URL without re-validating each hop lets an attacker bounce your server into internal addresses (server-side request forgery).
  • react-doctor/url-prefilled-privileged-action: Reading a privileged action from the URL (invite, role, permission, redirect, sharing) and acting on it lets an attacker craft a link that performs that action for a victim.
  • react-doctor/webhook-signature-risk: An inbound webhook handler that acts on the request body without verifying the provider's signature will process forged requests from anyone.
  • socket/low-supply-chain-score: A direct dependency's worst Socket security axis (supply chain or vulnerability) scores below the configured minimum — bump it to a patched/healthier release, replace it, or vet it and raise `supplyChain.minScore`
  • react-doctor/active-static-asset: A browser-reachable SVG that contains a `<script>` tag or `on*` event handler runs that code in your origin when someone opens it, which can lead to cross-site scripting.