Client-Side Data Flow

This detector identifies potentially unsafe data flows in client-side JavaScript where user-controlled input or sensitive data flows to dangerous sinks such as eval, innerHTML, or DOM manipulation functions. It traces how data moves from sources like URL parameters or user input through the JavaScript code to identify paths that could be exploited for injection attacks.

Unsafe client-side data flows enable attackers to inject malicious code or manipulate application behavior through DOM-based attacks. When user input flows to dangerous sinks without proper validation or encoding, attackers can execute arbitrary JavaScript through DOM-based XSS, manipulate client-side routing, or exfiltrate sensitive data processed in the browser. These vulnerabilities are particularly dangerous because they bypass server-side security controls entirely.

Avoid passing user-controlled data to dangerous JavaScript functions like eval, setTimeout with string arguments, or innerHTML. Use safe alternatives such as textContent for DOM manipulation and JSON.parse instead of eval for parsing data. Implement Content Security Policy headers to restrict inline script execution. When dynamic code execution is necessary, validate and sanitize all inputs using context-appropriate encoding and maintain a strict allowlist of permitted values.