document.write built from a variable (JS/TS)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
document.write with concatenated or interpolated content writes raw markup into the page, which is a DOM-based XSS vector when the value is user-controlled.
Why it matters
document.write with concatenated or interpolated content writes raw HTML into the page as it parses. A user-controlled value there can inject script that runs in your users' sessions (DOM-based XSS). It is a heuristic because the concatenated value may be static.
How to fix it
Stop using document.write. Build DOM nodes and set textContent for text, or use a templating approach that escapes by default. If you must insert HTML, sanitize it with DOMPurify first and insert with a controlled method rather than document.write.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo