Security reference · XSS · Tool Output

MCP server HTML injection security

When an MCP tool fetches external content — a web page, a document, an API response — and the client UI renders that content as HTML, the tool becomes a vector for Cross-Site Scripting (XSS). The attack is indirect: the MCP server itself is not vulnerable, but the client that displays its responses is. An attacker who can influence a tool's data source (via SSRF, a compromised upstream, or a URL argument) injects a <script> tag into the tool response that executes in the agent UI's origin. This reference covers the attack path, safe rendering patterns, server-side sanitization, and CSP as defense-in-depth.

The attack path: tool output → innerHTML → XSS

Consider a common MCP tool pattern: a web fetch tool that retrieves a URL and returns its content to the agent for summarization.

// Server-side tool (safe — returns raw HTML as a string)
async function fetchPageTool(args) {
  const resp = await fetch(args.url);
  const html = await resp.text();
  return { content: html, contentType: 'text/html' };
}

// Client-side rendering (VULNERABLE — innerHTML of untrusted tool output)
function renderToolResult(result) {
  const container = document.getElementById('tool-output');
  container.innerHTML = result.content; // XSS if content contains <script>
}

The tool server is doing nothing wrong — it's correctly fetching and returning content. The vulnerability is in the client that renders it. But the MCP server author controls both sides: the tool definition and, often, the reference client UI. If the tool's output_schema or documentation implies that its content field is safe HTML, client authors will render it as such.

Why this is specifically dangerous for MCP

Standard web XSS typically requires the attacker to inject into a database or URL that the victim server echoes back. In MCP, the attack surface is wider:

Tool output is implicitly trusted by the LLM and often by the UI — agents present tool results as authoritative
SSRF + HTML injection is a two-step attack: the attacker uses SSRF to point the fetch tool at an attacker-controlled server, then injects XSS payload in the HTML response
Prompt injection amplification: injected HTML can include invisible text that instructs the LLM to take follow-up actions ()
Origin escalation: XSS in an agent UI typically runs at the agent's origin, which may have access to user credentials, session tokens, and other tools via postMessage

Combined HTML + prompt injection: An attacker-controlled page served to a fetchPage MCP tool can simultaneously inject XSS (via HTML rendering) and inject prompts (via invisible text in the content). The LLM sees the page content and follows injected instructions; the UI renders the HTML and executes injected scripts. Double exploit from one external URL.

Safe rendering pattern 1 — textContent for plain text

If the tool output is plain text (not HTML), use textContent instead of innerHTML. The browser treats the value as literal text with no HTML parsing.

// SAFE — textContent escapes all HTML
function renderToolResult(result) {
  const container = document.getElementById('tool-output');
  container.textContent = result.content; // <script> renders as visible text, not code
}

// For multi-line text with line break preservation:
container.textContent = '';
result.content.split('\n').forEach((line, i) => {
  if (i > 0) container.appendChild(document.createElement('br'));
  container.appendChild(document.createTextNode(line));
});

Safe rendering pattern 2 — DOMPurify for intentional HTML

When the tool genuinely returns formatted HTML that should be rendered (e.g., a document formatter tool that produces structured output), sanitize it before insertion:

// Install: npm install dompurify jsdom (jsdom for server-side use)
import DOMPurify from 'dompurify';
import { JSDOM } from 'jsdom';

// Server-side sanitization (for tools that pre-sanitize before responding)
const window = new JSDOM('').window;
const purify = DOMPurify(window);

function sanitizeHtml(dirty) {
  return purify.sanitize(dirty, {
    ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'ul', 'ol', 'li', 'code', 'pre', 'a', 'h1', 'h2', 'h3'],
    ALLOWED_ATTR: ['href', 'title'],
    // Reject all event handlers (onclick, onload, onerror, etc.)
    FORCE_BODY: true,
    // Sanitize URLs to prevent javascript: scheme in href
    ALLOW_DATA_ATTR: false,
  });
}

// In your tool handler — sanitize BEFORE returning to client:
async function fetchAndRenderTool(args) {
  const resp = await fetch(args.url);
  const rawHtml = await resp.text();
  const cleanHtml = sanitizeHtml(rawHtml);  // strip scripts, event handlers, iframes
  return { content: cleanHtml, contentType: 'text/html-sanitized' };
}

Sanitize on the server, not just the client. Client-side DOMPurify is a good defense, but it only protects clients that use it correctly. If your tool returns raw HTML that some clients render via innerHTML, those clients are vulnerable regardless of whether the tool server recommended sanitization. Sanitize in the tool handler before the response leaves your server — this protects all clients including those that don't implement their own sanitization.

Escaping in template contexts

When tool output is inserted into server-rendered HTML templates, use context-aware escaping. The escaping function depends on where the value is placed:

Context	Attack	Correct escaping
HTML text content `<p>VALUE</p>`	`<script>alert(1)</script>`	HTML entity encode: `<script>`
HTML attribute `href="VALUE"`	`javascript:alert(1)`	URL-encode AND reject `javascript:` scheme
HTML attribute value `title="VALUE"`	`" onmouseover="alert(1)`	HTML entity encode quotes: `"`
JavaScript string `var x = "VALUE"`	`"; alert(1); //`	JSON-encode: `JSON.stringify(value)`
CSS value `color: VALUE`	`red; behavior: url(evil.js)`	Allowlist only known-safe CSS values

// Safe HTML escaping utility (if not using a templating engine that auto-escapes)
function escapeHtml(str) {
  return String(str)
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#x27;');
}

// Safe URL attribute escaping (also reject javascript: and data: schemes)
function escapeUrl(url) {
  const safe = String(url).trim();
  if (/^(javascript|data|vbscript):/i.test(safe)) return '#';
  return encodeURI(safe);
}

CSP as defense-in-depth

Content Security Policy prevents injected scripts from executing even if HTML injection occurs, providing a fallback when sanitization fails or is bypassed.

# Caddy — restrictive CSP for MCP admin UI
header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"

# The critical directives for HTML injection defense:
# script-src 'self'  — blocks inline scripts and scripts from external origins
# default-src 'self' — blocks all resource loads from external origins
# No 'unsafe-inline' in script-src — inline event handlers (onclick=) don't execute

// Generating a per-request nonce for inline scripts you control
// (allows specific inline scripts while blocking injected ones)
import crypto from 'crypto';

function generateCspNonce() {
  return crypto.randomBytes(16).toString('base64');
}

app.use((req, res, next) => {
  res.locals.cspNonce = generateCspNonce();
  res.setHeader('Content-Security-Policy',
    `default-src 'self'; script-src 'self' 'nonce-${res.locals.cspNonce}'; frame-ancestors 'none'`
  );
  next();
});

Tool output schema: signal safe rendering intent

In your MCP tool's outputSchema, signal whether tool output is safe HTML or raw untrusted content. This lets client authors make informed rendering decisions:

// In your MCP server tool definition
server.tool(
  'fetchPage',
  'Fetch a web page and return its text content for analysis',
  { url: z.string().url() },
  async (args) => {
    const resp = await fetch(args.url);
    const rawHtml = await resp.text();
    // Strip all tags — return plain text only
    const text = rawHtml.replace(/<[^>]*>/g, ' ').replace(/\s+/g, ' ').trim();
    return {
      // Return text, not HTML — no rendering risk
      content: text,
      contentType: 'text/plain',
      // Explicitly note that this is untrusted external content
      warning: 'External content — may contain prompt injection attempts',
    };
  }
);

// For tools that intentionally return HTML (e.g., a report generator):
// - Sanitize server-side before returning
// - Set contentType: 'text/html-sanitized' (custom signal to clients)
// - Document the sanitization guarantee in the tool description

SkillAudit findings for HTML injection

CRITICAL −22 Tool handler returns raw external HTML (from fetch, scrape, or file read) — client UIs that render tool output as HTML receive unsanitized XSS payloads from any attacker-controlled source.

HIGH −18 No server-side HTML sanitization before returning HTML-typed tool output — XSS protection depends entirely on each client implementing DOMPurify correctly.

HIGH −16 Combined SSRF + HTML injection: tool accepts user-controlled URL for fetch without SSRF protection — attacker redirects to a server that returns XSS payload in HTML body.

MEDIUM −10 No CSP on agent UI pages — even if sanitization fails, a strict CSP (script-src 'self' without unsafe-inline) would block injected script execution.

MEDIUM −8 Tool output schema does not signal content safety type — client developers cannot distinguish safe HTML from raw external content, increasing likelihood of unsafe rendering.

Run a full XSS and HTML injection audit on your MCP server at SkillAudit. The audit checks for unsafe HTML return types, missing sanitization in fetch tools, and CSP configuration alongside the full security report card.

Related references: prompt injection defense · Content Security Policy · SSRF security