| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using Rails’ ‘content_tag’ helper can unintentionally allow unescaped user input into HTML, especially for tag and attribute names or when rendering raw HTML. This creates a risk where attackers could inject malicious scripts into your pages.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using ‘html_safe’ in Rails views disables automatic HTML escaping, which can allow untrusted user input to be rendered as raw HTML. If any user-controlled data is marked as ‘html_safe’, it can introduce serious security risks.
If exploited, attackers can inject malicious scripts (XSS) into your web pages, leading to data theft, account compromise, or defacement. This can undermine user trust, expose sensitive information, and potentially allow attackers to act on behalf of users in your application.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using unquoted template variables as HTML attribute values can allow user input to break out of the attribute and inject malicious JavaScript. Always wrap template expressions in quotes to prevent this type of injection.
If exploited, attackers could execute arbitrary JavaScript in users’ browsers (XSS), potentially stealing session cookies, impersonating users, or modifying site content. This can lead to data breaches, account compromise, and damage to user trust.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using the ‘raw’ helper in Rails views outputs HTML without escaping it, which means any user-supplied content will be rendered as-is. If untrusted data reaches this point, it can lead to security issues.
An attacker could inject malicious scripts into your web pages, potentially stealing user data, hijacking sessions, or defacing the site. This exposes your application and its users to cross-site scripting (XSS) attacks.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
User-controlled data is being directly inserted into the href attribute of an anchor tag. This allows attackers to inject malicious links, such as those starting with ‘javascript:’, leading to possible cross-site scripting (XSS) attacks.
If exploited, an attacker could execute arbitrary JavaScript in the user’s browser, potentially stealing session cookies, compromising user accounts, or defacing the site. This can result in loss of user trust and potential legal or compliance issues for the organization.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using unsanitized template variables directly in the ’link_to’ helper can allow user-controlled data to end up in the href attribute. This makes it possible for attackers to inject malicious URLs, such as those starting with ‘javascript:’, leading to security risks.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using <%== ... %> in Rails templates outputs content as raw HTML, bypassing automatic escaping. This can expose your application to cross-site scripting (XSS) if untrusted user input is rendered.
If exploited, attackers could inject malicious scripts into web pages, leading to data theft, session hijacking, or defacement. This compromises user trust and could expose sensitive information or allow further attacks on your application.
| Property | |
|---|---|
| Language | generic |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.
| Property | |
|---|---|
| Language | regex |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using triple braces ‘{{{…}}}’ or ampersand ‘&’ in Mustache templates disables HTML escaping, which means any data rendered here is inserted as raw HTML. If user-supplied or external data reaches these spots, it can introduce malicious scripts into your web pages.
| Property | |
|---|---|
| Language | regex |
| Severity | |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.