Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

Visualforce pages are missing the ‘cspHeader’ attribute set to true, which means they do not enforce modern browser security controls against malicious scripts. This makes the page more vulnerable to cross-site scripting (XSS) attacks.

Impact

If exploited, attackers could inject and execute unauthorized JavaScript in users’ browsers, potentially leading to data theft, session hijacking, or unauthorized actions in the Salesforce environment. This can compromise user accounts, sensitive business data, and overall application security.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using template variables directly inside tags can allow untrusted data to be interpreted as JavaScript code. HTML escaping does not fully protect against cross-site scripting (XSS) when injecting data into scripts.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Dynamically inserting template variables into the ‘src’ attribute of a script tag can allow attackers to inject malicious scripts, even if the variable is HTML-escaped. Using user-controlled or untrusted data for script URLs makes the page vulnerable to cross-site scripting (XSS) attacks.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

A template variable is being used as an HTML attribute value without quotes. This allows user input to be injected directly into the page, which can let attackers add malicious code.

Impact

If exploited, an attacker could inject arbitrary JavaScript into your application, leading to cross-site scripting (XSS) attacks. This can result in stolen user data, compromised accounts, or further attacks against your users and systems.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using a template variable directly in an anchor tag’s href attribute allows user input to define the link destination. If not properly validated or encoded, attackers can inject malicious URLs, such as those starting with ‘javascript:’, leading to XSS vulnerabilities.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Rendering JSON data directly in HTML using @Html.Raw without proper encoding can expose your application to cross-site scripting (XSS) attacks. Special characters in the JSON, like , may break out of script contexts and allow attackers to inject malicious scripts.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Assigning raw user input directly to types like template.HTML, template.JS, or template.CSS in Go bypasses automatic escaping and can allow unsafe content into templates. This practice makes it easy for attackers to inject malicious scripts or code.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code passes dynamically constructed or user-influenced strings directly to template.URL(), which does not escape input. This can allow untrusted data to be inserted into web pages as URLs without proper sanitization.

Impact

If exploited, attackers could inject malicious JavaScript or crafted links, leading to cross-site scripting (XSS) attacks. This can result in data theft, session hijacking, or compromise of user accounts and sensitive information.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

User input from URL query parameters is being directly included in HTTP responses using printf-style formatting without sanitization. This allows attackers to inject malicious scripts into web pages, leading to cross-site scripting (XSS) vulnerabilities.

Impact

If exploited, attackers can execute arbitrary JavaScript in users’ browsers, potentially stealing session cookies, impersonating users, defacing the site, or launching further attacks. This compromises user data and trust, and may expose the organization to regulatory and reputational risks.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using ’template.JS()’ with formatted or concatenated strings can embed unescaped user-controlled data directly into JavaScript code. This makes it easy for attackers to inject malicious scripts if any part of the data comes from untrusted sources.