GrepRules
Sign inPublish rule
Explore/cve-2026-31860-unhead-weak-sanitization-bypass

CVE-2026-31860: Unhead Weak Sanitization Bypass

Weak URL protocol or HTML attribute sanitization detected. Validating URLs using `.includes('javascript:')` or `.indexOf('javascript:')` is case-sensitive, ignores HTML entities, and is easily bypassed. Allowing attributes based solely on a `data-` prefix without ensuring the absence of spaces allows attribute injection vulnerabilities in SSR output. Use str

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0TS
greprules fetch cve-2026-31860-unhead-weak-sanitization-bypass --engine opengrep

Description

Weak URL protocol or HTML attribute sanitization detected. Validating URLs using `.includes('javascript:')` or `.indexOf('javascript:')` is case-sensitive, ignores HTML entities, and is easily bypassed. Allowing attributes based solely on a `data-` prefix without ensuring the absence of spaces allows attribute injection vulnerabilities in SSR output. Use str

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
146 downloads0 direct146 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs