Skip to main content
VibeAudit Liability Index
highXSS/output riskFix order 2

XSS Output Escape Hatch

What it is

Raw HTML rendering appears without sanitizer evidence.

This usually appears when generated code proves that a feature works but does not leave enough evidence that the launch boundary was checked.

How to fix it

Avoid raw HTML sinks or sanitize with a reviewed library, then add tests for script/event-handler payloads.

  1. 1Avoid raw HTML sinks; render untrusted content as text by default.
  2. 2Where raw HTML is required, sanitize with a reviewed library.
  3. 3Add tests for script and event-handler payloads at each rendering path.

How VibeAudit checks for this

VibeAudit checks this with scoped evidence from supported structural checks, external observations, and authorized probes where available. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan