regex-html-sanitizer
Do not use regex to sanitize HTML — use DOMPurify or sanitize-html
Applies to: JavaScript, Python, TypeScript
Why this matters
Regular expressions cannot safely parse or sanitize HTML. Regex-based tag stripping like `.replace(/<script/gi, '')` is trivially bypassed with techniques like `<scr<script>ipt>`, nested tags, event handlers (`onerror`), and encoding tricks. Always use a battle-tested library like DOMPurify (browser/Node.js) or sanitize-html (Node.js) or bleach (Python).
Catch it before it ships
pip install stablestack # or: npx stablestackstablestack # scans your project, SEC017 includedstablestack explain SEC017SEC017 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.
False positive in your codebase? Suppress a single line with # noqa: SEC017
More Security checks
hardcoded-secret
Hardcoded secrets in code can be leaked and are hard to rotate
SEC002sql-injection
SQL queries built with string concatenation are vulnerable to injection
SEC003eval-usage
eval() executes arbitrary code and is a security risk
SEC004insecure-random
Non-cryptographic random is predictable and insecure for tokens/passwords
SEC005inner-html-xss
Direct innerHTML assignment can lead to XSS vulnerabilities
SEC006webhook-security-bypass
Webhook signature verification should never be skipped
SEC007oauth-state-validation
OAuth callback missing state parameter validation
SEC008plaintext-secrets
Sensitive tokens stored without encryption in database schema