Will It Vibe logoWill It Vibe?
INJECT-020Low severity-4 points

document.write built from a variable (JS/TS)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

document.write with concatenated or interpolated content writes raw markup into the page, which is a DOM-based XSS vector when the value is user-controlled.

Why it matters

document.write with concatenated or interpolated content writes raw HTML into the page as it parses. A user-controlled value there can inject script that runs in your users' sessions (DOM-based XSS). It is a heuristic because the concatenated value may be static.

How to fix it

Stop using document.write. Build DOM nodes and set textContent for text, or use a templating approach that escapes by default. If you must insert HTML, sanitize it with DOMPurify first and insert with a controlled method rather than document.write.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks