ast/reflected-xss-via-res-send
Reflected XSS: response body sourced from user input
What it detects
res.send / res.write / res.end was called with a body sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. Express infers Content-Type: text/html when the body is a string — any <script> in the user input runs in the visitor's browser. Either send via res.json (sets Content-Type: application/json, which the browser will NOT parse as HTML), escape the input through a HTML-encoder before sending, or set Content-Type: text/plain explicitly.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.