Browser output encodes or sanitizes untrusted content in the correct context
sec-004
Intent
Render untrusted content as inert text or vetted sanitized markup, not executable HTML, script, or dangerous browser context.
Applicability
Applies when the diff renders user-controlled content into HTML, templates, DOM sinks, script blocks, URL-bearing attributes, or framework escape hatches. Return unknown when the actual rendering sink is not visible.
What to inspect
Template expressions, raw HTML helpers, JSON embedded in <script>, DOM sinks, sanitizer usage, and context-specific encoders.
Pass criteria
The code keeps framework auto-escaping enabled or uses context-appropriate escaping or vetted sanitization for intentionally rich HTML.
Fail criteria
Untrusted content is marked safe, interpolated into script-capable contexts without the correct encoder, or inserted through raw HTML sinks without sanitization.
Do not flag
Plain JSON responses. Auto-escaped template expressions. Static literals. Reviewed safe-html abstractions with visible sanitizer use.
Confidence guidance
HIGH when the unsafe sink and untrusted source are visible. MEDIUM when the sink is clear but content origin is inferred. LOW when rendering happens through hidden helpers.
Remediation
Use the encoder that matches the sink. Preserve default escaping. Sanitize rich HTML with a vetted allowlist sanitizer.
Pass example
element.textContent = userComment
Fail example
element.innerHTML = userComment