CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/input-sanitization

Sanitize and validate user input at system boundaries — prevent XSS, SQL

94

1.20x
Quality

89%

Does it follow best practices?

Impact

100%

1.20x

Average score across 6 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-3/

{
  "context": "Tests whether the agent avoids XSS vulnerabilities when rendering user-supplied content. Covers the rule that API endpoints return JSON (not HTML strings with interpolated data), that the frontend uses textContent or DOM API instead of innerHTML, that framework escape-bypasses like dangerouslySetInnerHTML/v-html are not used, and that any HTML escape helper covers all five dangerous characters.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Backend returns JSON",
      "description": "The API/server endpoint returns JSON (res.json() or equivalent) — does NOT use res.send() with a template string containing user data",
      "max_score": 10
    },
    {
      "name": "No innerHTML with user data",
      "description": "No JavaScript code assigns user-supplied data (comments, usernames, etc.) to element.innerHTML",
      "max_score": 15
    },
    {
      "name": "textContent or DOM API used",
      "description": "User-supplied text content is set via element.textContent, or via createElement + appendChild rather than innerHTML",
      "max_score": 15
    },
    {
      "name": "No dangerouslySetInnerHTML",
      "description": "Does NOT use React's dangerouslySetInnerHTML (or Vue's v-html, or Angular's [innerHTML] binding) with user data",
      "max_score": 10
    },
    {
      "name": "escapeHtml covers ampersand",
      "description": "If an escapeHtml / htmlEscape function is present, it replaces & with &",
      "max_score": 8
    },
    {
      "name": "escapeHtml covers angle brackets",
      "description": "If an escapeHtml / htmlEscape function is present, it replaces both < with &lt; AND > with &gt;",
      "max_score": 8
    },
    {
      "name": "escapeHtml covers double quote",
      "description": "If an escapeHtml / htmlEscape function is present, it replaces \" with &quot;",
      "max_score": 8
    },
    {
      "name": "escapeHtml covers single quote",
      "description": "If an escapeHtml / htmlEscape function is present, it replaces ' with &#039; or &apos;",
      "max_score": 8
    },
    {
      "name": "Content-Type on POST endpoints",
      "description": "Any POST endpoints that accept user input check the Content-Type header and return 415 for non-JSON requests",
      "max_score": 10
    },
    {
      "name": "No server-side HTML interpolation",
      "description": "The server-side code does not build HTML strings using template literals or string concatenation with user-supplied values, even with escaping applied",
      "max_score": 8
    }
  ]
}

evals

scenario-3

criteria.json

task.md

tile.json