Skip to content

serialize-option-unsafe

Ensure javascript serialize does not use unsafe

By default the serialize function of the serialize-javascript package will automatically HTML encode output. This protects against cross-site scripting (XSS) if you are taking the serialized values and writing them to the DOM as is. Adding the unsafe: true property to the serialize function will turn off this protection.

This rule won't help if your frontend framework is already encoding output (like React does) or the serialized payload isn't being sent to the frontend.

Examples

Insecure Example

serialize(obj, {unsafe: true});

Secure Example

serialize({
    haxorXSS: '</script>'
});