Request input written to the response body
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
res.send / res.write / res.end is called with a value taken from req.query/params/body/headers/cookies; res.send defaults to text/html, so a reflected value is a direct XSS sink.
Why it matters
res.send() with a string sets the Content-Type to text/html, so a value taken from req.query, req.body, or another request field is reflected straight into an HTML response. An attacker crafts a link that puts script into that field and it runs in the victim's browser: reflected XSS, leading to session theft or actions taken as the user. The risk applies whenever the reflected value can contain markup.
How to fix it
Do not reflect request input as HTML. Return data with res.json for APIs, or render through a template engine that escapes output by default. If you must return user-derived text, set Content-Type to text/plain, or escape the value before it enters HTML. Never build HTML by concatenating request fields.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo