Time Remaining4:00
mediumSecurityReact

The reflected echo

A developer asked an AI assistant to render a search page's 'Showing results for' message, bolding the term the user typed. The suggested code renders correctly for normal searches, but a malicious query turns into a working script tag on the page.

SearchResultsHeader.jsx
function SearchResultsHeader({ query }) {
  return (
    <h2
      dangerouslySetInnerHTML={{
        __html: `Showing results for: <strong>${query}</strong>`,
      }}
    />
  );
}

What happens if a user searches for <img src=x onerror=alert(document.cookie)>?

The browser executes the injected script — dangerouslySetInnerHTML renders the query as raw HTML with no escaping, a classic reflected XSS.
React automatically escapes the query before interpolation, so it renders as harmless text.
The <img> tag is stripped because dangerouslySetInnerHTML only allows <strong> and <em>.
The page throws a hydration error and refuses to render.