serialize-option-unsafe¶
Ensure javascript serialize does not use unsafe
By default the serialize
function of the serialize-javascript
package will automatically HTML encode output. This protects against cross-site scripting (XSS) if you are taking the serialized values and writing them to the DOM as is. Adding the unsafe: true
property to the serialize
function will turn off this protection.
This rule won't help if your frontend framework is already encoding output (like React does) or the serialized payload isn't being sent to the frontend.
Examples¶
Insecure Example
serialize(obj, {unsafe: true});
Secure Example
serialize({
haxorXSS: '</script>'
});