[Fixed] How to fix Reflected XSS vulnerability in my node.js application


I am writing the backend of an application using express in node.js. Checkmarx highlights this issue: Improper Neutralization of Input During Web Page Generation

The line of code highlighted: const token = req.params.company2tftoken;

What can I do to fix this? Any article will also work.


Here’s a quick intro to what Reflected XSS is and what harm this vulnerability can do to your Node app

In general, one of the ways to prevent XSS is to output encode/escape. Depending on the contextual output (URL, javascript, HTML) where req.params.company2tftoken might end, will determine what function to use. I’m assuming URL so you may try with URL encoding using the querystring.escape method

const token = querystring.escape(req.params.company2tftoken);

Leave a Reply

(*) Required, Your email will not be published