Issue
I am writing the backend of an application using express in node.js. Checkmarx highlights this issue: Improper Neutralization of Input During Web Page Generation
The line of code highlighted: const token = req.params.company2tftoken;
What can I do to fix this? Any article will also work.
Solution
Here’s a quick intro to what Reflected XSS is and what harm this vulnerability can do to your Node app
In general, one of the ways to prevent XSS is to output encode/escape. Depending on the contextual output (URL, javascript, HTML) where req.params.company2tftoken might end, will determine what function to use. I’m assuming URL so you may try with URL encoding using the querystring.escape method
const token = querystring.escape(req.params.company2tftoken);