Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated XSS (Cross-Site Scripting) Review Rules

Source-backed rules for reviewing AI-generated code that renders untrusted data into HTML, JavaScript, URLs, or CSS before merge for cross-site scripting risk, covering context-correct output encoding, dangerous DOM sinks, HTML sanitization, and Content-Security-Policy as defense in depth.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-xss-review-rules.mdx
Safety notes
A successful XSS injection runs attacker JavaScript in another user's browser session, enabling session/token theft, account takeover, keylogging, or unauthorized actions performed as that user., AI assistants frequently reach for innerHTML, dangerouslySetInnerHTML, or string-concatenated HTML because it is the shortest path to the desired rendering, without adding sanitization or switching to a safe sink., Relying only on a Content-Security-Policy header is not sufficient: CSP support and enforcement vary by browser, misconfiguration is common, and it does not address DOM-based XSS that never touches the network.
Privacy notes
XSS proof-of-concept payloads and captured DOM/session state can include real session tokens, cookies, or personal data; use synthetic accounts and redact captures before pasting them into a PR or issue., Sanitizer configuration (allowed tags/attributes) can itself leak intent about what user-generated content the product stores; avoid documenting real user content samples in public review threads., Third-party scripts and widgets execute with the same DOM access as first-party code; disclose any new third-party script include as part of the change under review.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

15 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup.

0/4 ready
Configuration1Permissions & scopes1General215 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 3 privacy notes across 5 risk areas. Review closely: credentials & tokens, network access, third-party handling.

5 areas
  • SafetyCredentials & tokensA successful XSS injection runs attacker JavaScript in another user's browser session, enabling session/token theft, account takeover, keylogging, or unauthorized actions performed as that user.
  • SafetyLocal filesAI assistants frequently reach for innerHTML, dangerouslySetInnerHTML, or string-concatenated HTML because it is the shortest path to the desired rendering, without adding sanitization or switching to a safe sink.
  • SafetyNetwork accessRelying only on a Content-Security-Policy header is not sufficient: CSP support and enforcement vary by browser, misconfiguration is common, and it does not address DOM-based XSS that never touches the network.
  • PrivacyCredentials & tokensXSS proof-of-concept payloads and captured DOM/session state can include real session tokens, cookies, or personal data; use synthetic accounts and redact captures before pasting them into a PR or issue.
  • PrivacyData retentionSanitizer configuration (allowed tags/attributes) can itself leak intent about what user-generated content the product stores; avoid documenting real user content samples in public review threads.
  • PrivacyThird-party handlingThird-party scripts and widgets execute with the same DOM access as first-party code; disclose any new third-party script include as part of the change under review.

Safety notes

  • A successful XSS injection runs attacker JavaScript in another user's browser session, enabling session/token theft, account takeover, keylogging, or unauthorized actions performed as that user.
  • AI assistants frequently reach for innerHTML, dangerouslySetInnerHTML, or string-concatenated HTML because it is the shortest path to the desired rendering, without adding sanitization or switching to a safe sink.
  • Relying only on a Content-Security-Policy header is not sufficient: CSP support and enforcement vary by browser, misconfiguration is common, and it does not address DOM-based XSS that never touches the network.

Privacy notes

  • XSS proof-of-concept payloads and captured DOM/session state can include real session tokens, cookies, or personal data; use synthetic accounts and redact captures before pasting them into a PR or issue.
  • Sanitizer configuration (allowed tags/attributes) can itself leak intent about what user-generated content the product stores; avoid documenting real user content samples in public review threads.
  • Third-party scripts and widgets execute with the same DOM access as first-party code; disclose any new third-party script include as part of the change under review.

Prerequisites

  • A pull request, diff, or snippet containing AI-generated or AI-edited code that renders variables into HTML, JavaScript, a URL, or CSS, or that calls DOM-manipulation APIs.
  • Knowledge of which values in the change are untrusted (user input, query params, third-party API responses, database content originally sourced from users).
  • Awareness of the framework's default auto-escaping behavior and which of its APIs bypass that escaping.
  • Permission to block merge when untrusted data reaches a dangerous sink without context-correct encoding or sanitization.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
15 minutes
Difficulty
intermediate
Full copyable content
You are reviewing AI-generated code for cross-site scripting (XSS) risk.

Rules:
1. Identify every place untrusted data flows into HTML, JavaScript, a URL,
   or CSS, and confirm each one uses the output encoding for that specific
   context — HTML entity encoding, HTML attribute encoding, JavaScript
   encoding, URL encoding, or CSS hex encoding are not interchangeable.
2. Flag any use of a dangerous sink — `innerHTML`, `outerHTML`,
   `document.write`, `dangerouslySetInnerHTML`, Vue's `v-html`, Angular's
   `bypassSecurityTrustAs*`, or string-built `<script>`/`eval` — and require
   a safe sink (`textContent`, `setAttribute` on a hardcoded-safe attribute
   name, `.value`, framework-default templating) instead, unless the value
   first passes through an HTML sanitizer.
3. When a feature genuinely needs to render user-authored HTML (a WYSIWYG
   editor, markdown preview), require sanitization with a maintained library
   (for example DOMPurify) applied immediately before render, and confirm
   the sanitized output is not concatenated with more untrusted data
   afterward.
4. Never place untrusted data in a dangerous context that output encoding
   cannot make safe: directly inside a `<script>` block, inside an HTML
   comment, inside a `<style>` block, as an unquoted attribute value, or as
   the tag/attribute name itself.
5. For any URL built from untrusted input, validate the scheme against an
   allowlist (`http`/`https` only) before use in `href`, `src`, or a
   redirect, since `javascript:` and `data:` URLs execute when navigated or
   loaded.
6. Do not treat a Content-Security-Policy header, a WAF, or an input-side
   interceptor/filter as the primary defense — require context-correct
   output encoding or sanitization at the point of render first, and treat
   CSP as an additional layer, not a substitute.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that renders data of uncertain origin into a page. The goal is to stop a generated component, template, or DOM update from shipping a cross-site scripting hole because it renders correctly for the happy-path input and looks like ordinary UI code.

This is a review policy, not an XSS tutorial. It tells reviewers what must be true about a generated change's encoding, sinks, and sanitization before the change is safe to merge.

Review Inputs

Collect enough context to know where untrusted data flows and how it is rendered.

  • Every place the change writes a variable into HTML, an HTML attribute, inline JavaScript, a URL, or CSS.
  • Whether each variable originates from user input, a query parameter, a third-party API response, or stored content that was ever user-controlled.
  • Which DOM APIs or template constructs the change uses to do the writing, and whether any of them bypass the framework's default auto-escaping.
  • Whether the change introduces or modifies an HTML sanitizer, a Content-Security-Policy header, or a third-party script include.

Context-Correct Encoding Rules

  • Match the encoding to the context, not the data type: HTML body, HTML attribute, JavaScript, URL, and CSS each parse differently, and the wrong encoding for a context can still allow execution.
  • HTML body context (<div>UNTRUSTED</div>): use HTML entity encoding, or a safe sink such as .textContent.
  • HTML attribute context (<div attr="UNTRUSTED">): quote the attribute with " or ', use HTML attribute encoding, and only place untrusted data into attributes that cannot execute (never onclick, onerror, href with a javascript: scheme, or similar event/URL attributes without extra validation).
  • JavaScript context: the only safe placement for untrusted data is inside an already-quoted string literal, and it must use JavaScript-specific encoding there; never build a <script> block or event handler by concatenating untrusted strings into unquoted code.
  • URL context: URL-encode the value first, then apply HTML attribute encoding when the URL is placed in href or src; validate the scheme against an allowlist before use.
  • CSS context: restrict untrusted data to a CSS property value, never a selector or property name, and prefer element.style.property = value (a safe sink) over building a <style> block from strings.

Dangerous Sinks And Framework Escape Hatches

  • Treat these as unsafe unless the value has first passed through a maintained HTML sanitizer immediately before the call: innerHTML, outerHTML, insertAdjacentHTML, document.write, document.writeln.
  • Treat these framework escape hatches the same way: React's dangerouslySetInnerHTML, Vue's v-html, Angular's bypassSecurityTrustAs* family, and any unsafeHTML/raw-HTML helper.
  • Prefer safe sinks that always treat their argument as text, never markup: .textContent, .setAttribute(name, value) with a hardcoded attribute name, .value, .className, document.createTextNode.
  • Flag eval, new Function, setTimeout/setInterval called with a string argument, and any dynamic <script src> built from untrusted input.
  • A modern framework's default template syntax already HTML-encodes interpolated values — the risk is almost always in code that deliberately opts out of that default, not in ordinary template bindings.

Sanitization And CSP Rules

  • When a feature must render user-authored HTML (rich text, markdown preview, pasted content), sanitize with a maintained library (for example DOMPurify) and keep it patched, since sanitizer bypasses are discovered and fixed on an ongoing basis.
  • Sanitize as the last step before rendering; if sanitized output is modified or concatenated with more untrusted data afterward, the sanitization is void.
  • Use Content-Security-Policy as defense in depth, tuned for the specific application, not as a blanket policy assumed to cover every legacy page — it does not replace context-correct encoding or sanitization.
  • Where the browser target supports it, consider Trusted Types (Content-Security-Policy: require-trusted-types-for 'script') to force DOM XSS sinks through a vetted policy instead of accepting plain strings.
  • Do not rely on an input-side validator, HTTP interceptor, or WAF as the primary XSS defense: none of them have enough context to know which output context a given value will render into, and none of them stop DOM-based XSS that never touches the network.

Merge Blockers

Block merge when any of these is true.

  • Untrusted data reaches innerHTML, dangerouslySetInnerHTML, v-html, document.write, or an equivalent sink without prior sanitization.
  • A variable is placed inside a <script> block, an HTML comment, a <style> block, or an unquoted attribute — a dangerous context that output encoding cannot fully protect.
  • A URL built from untrusted input is used in href, src, or a redirect without scheme validation, allowing a javascript: or data: URL.
  • An HTML sanitizer is applied and then the result is mutated or concatenated with more untrusted data before render.
  • The only stated defense is a Content-Security-Policy header, a WAF, or an input-side filter, with no context-correct output encoding or sanitization at the render point.

Review Checklist

  • {"task": "Context-correct encoding", "description": "Every untrusted value uses the encoding for its actual context (HTML body, attribute, JS, URL, CSS)"}
  • {"task": "No unsafe sinks", "description": "innerHTML/dangerouslySetInnerHTML/v-html/document.write are absent, or the value is sanitized immediately before use"}
  • {"task": "Safe sinks preferred", "description": "textContent, setAttribute with a hardcoded name, and .value are used wherever markup rendering isn't required"}
  • {"task": "URL scheme validated", "description": "URLs built from untrusted input are allowlisted to http/https before use in href/src/redirects"}
  • {"task": "Sanitizer applied last", "description": "HTML sanitization happens immediately before render and isn't followed by further concatenation or mutation"}
  • {"task": "CSP is secondary", "description": "Any CSP/WAF/interceptor is documented as defense in depth, not the sole XSS control"}

AI Review Rules

AI assistants can write and review rendering code, but they should show their evidence.

  • Ask the assistant to list every place the change writes untrusted data into HTML, JavaScript, a URL, or CSS before judging safety.
  • Require the assistant to name the specific sink or template construct used for each write, and state whether it is a safe sink, a dangerous sink, or a dangerous sink paired with sanitization.
  • Have the assistant show where sanitization happens and confirm nothing runs after it that could reintroduce unsanitized data.
  • Do not let the assistant claim a Content-Security-Policy header alone makes a dangerous sink safe.
  • Re-run review after any change to rendering logic, sanitizer configuration, or third-party script includes.

Troubleshooting

  • Encoded output shows literal &lt;/&gt; instead of rendering markup: that is expected for HTML entity encoding of plain text; if markup rendering is actually required, sanitize the HTML instead of switching back to an unsafe sink.
  • A sanitizer strips content the feature needs: adjust the sanitizer's allowlist of tags/attributes rather than bypassing sanitization or switching to innerHTML with raw input.
  • It renders fine in the framework's template but breaks when built manually: the framework's default binding already encodes for you; a manual DOM write or raw HTML string bypasses that and needs its own encoding or sanitization.
  • CSP reports block a legitimate inline script: move the script to an external file or a nonce-based include rather than relaxing CSP to unsafe-inline, and keep pursuing output-side fixes for the underlying sink.

Duplicate And History Check

Before adding new HTML-rendering or sanitization logic, confirm the codebase does not already have a shared rendering helper, template component, or sanitizer wrapper that solves this. A generated change that reaches for a raw DOM API or hand-rolled encoding next to an existing safe helper should be treated as suspicious — check whether the existing helper was simply not reused before introducing a second, parallel mechanism.

Context Reference

Context Example Sample Defense
HTML body <span>DATA</span> HTML entity encoding, or .textContent
HTML attribute <input value="DATA"> Quote the attribute, HTML attribute encoding
URL / GET parameter <a href="/search?q=DATA"> URL encoding, then HTML attribute encoding
JavaScript variable <script>var x='DATA';</script> JavaScript encoding inside an already-quoted value
CSS value <div style="width: DATA;"> CSS hex encoding, or element.style.property = x
Untrusted HTML <div>DATA (rich text)</div> HTML sanitization (e.g. DOMPurify), not encoding
DOM-based document.write(location.hash) Avoid the sink; see the DOM-based XSS cheat sheet

Sources

  • OWASP Cross-Site Scripting Prevention Cheat Sheet
  • OWASP DOM-based XSS Prevention Cheat Sheet
  • OWASP XSS attack reference
  • MDN Web Docs: Cross-site scripting (XSS)
  • CWE-79: Improper Neutralization of Input During Web Page Generation

Source citations

Add this badge to your README

Show that AI-Generated XSS (Cross-Site Scripting) Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-xss-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-xss-review-rules)

How it compares

AI-Generated XSS (Cross-Site Scripting) Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Source-backed rules for reviewing AI-generated code that renders untrusted data into HTML, JavaScript, URLs, or CSS before merge for cross-site scripting risk, covering context-correct output encoding, dangerous DOM sinks, HTML sanitization, and Content-Security-Policy as defense in depth.

Open dossier

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

Open dossier

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

Open dossier

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferslourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-06-222026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesA successful XSS injection runs attacker JavaScript in another user's browser session, enabling session/token theft, account takeover, keylogging, or unauthorized actions performed as that user. AI assistants frequently reach for innerHTML, dangerouslySetInnerHTML, or string-concatenated HTML because it is the shortest path to the desired rendering, without adding sanitization or switching to a safe sink. Relying only on a Content-Security-Policy header is not sufficient: CSP support and enforcement vary by browser, misconfiguration is common, and it does not address DOM-based XSS that never touches the network.A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.
Privacy notesXSS proof-of-concept payloads and captured DOM/session state can include real session tokens, cookies, or personal data; use synthetic accounts and redact captures before pasting them into a PR or issue. Sanitizer configuration (allowed tags/attributes) can itself leak intent about what user-generated content the product stores; avoid documenting real user content samples in public review threads. Third-party scripts and widgets execute with the same DOM access as first-party code; disclose any new third-party script include as part of the change under review.CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.
Prerequisites
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that renders variables into HTML, JavaScript, a URL, or CSS, or that calls DOM-manipulation APIs.
  • Knowledge of which values in the change are untrusted (user input, query params, third-party API responses, database content originally sourced from users).
  • Awareness of the framework's default auto-escaping behavior and which of its APIs bypass that escaping.
  • Permission to block merge when untrusted data reaches a dangerous sink without context-correct encoding or sanitization.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
  • Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
  • Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
  • Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.