Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

User input is being passed directly into the body or URL of Rails’ link_to helper without proper escaping or validation. This can allow attackers to inject malicious content or scripts into generated links.

Impact

If exploited, an attacker could perform Cross-Site Scripting (XSS) by injecting JavaScript or other harmful code, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of users. It undermines application trust and can result in data breaches or compromise of user accounts.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using the raw() method in Rails disables automatic HTML escaping, which means any untrusted data rendered this way can include malicious scripts. This exposes your application to cross-site scripting (XSS) vulnerabilities if user input is displayed using raw().

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Manually creating ERB templates in code can introduce security risks, especially if user input is included in the template content. This practice may lead to server-side template injection (SSTI) or cross-site scripting (XSS) vulnerabilities.

Impact

If exploited, attackers could execute malicious code on the server or inject harmful scripts into web pages, potentially leading to data theft, account compromise, or unauthorized access to sensitive information. This can severely damage user trust and the security of the application.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using ‘render text:’ in Rails sets the response content-type to ’text/html’, which means any user-supplied data rendered this way can be interpreted as HTML. This can allow attackers to inject malicious scripts if external input is included, leading to cross-site scripting (XSS) vulnerabilities.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using ‘render inline:’ in Rails allows entire ERB templates to be rendered directly from strings, which can expose your app to security risks if any user input is included. This can lead to attackers injecting malicious code that gets executed or displayed in the browser.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User-controlled input is used directly in the host portion of a URL for server-side HTTP requests. This allows attackers to specify arbitrary destinations for outgoing requests, putting sensitive data at risk.

Impact

If exploited, attackers could trick the server into connecting to malicious or internal systems, potentially exposing sensitive data (like cookies or credentials), leaking internal network information, or enabling further attacks such as accessing protected resources (SSRF).

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

User input is being directly inserted into manually constructed HTML strings without proper sanitization. This practice can introduce security risks if the input contains malicious code.

Impact

If exploited, attackers could inject malicious scripts into your application’s web pages (Cross-Site Scripting/XSS), allowing them to steal user data, hijack sessions, or perform actions on behalf of users, potentially compromising sensitive information and user trust.

Property
Language
Severity
CWE	CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using the serialize-javascript library with the unsafe: true option can allow untrusted input to be serialized as raw JavaScript, making your application vulnerable to cross-site scripting (XSS) attacks. This happens because dangerous content isn’t properly escaped before being sent to the browser.

Property
Language	apex
Severity
CWE	CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP	A03:2021 - Injection
Confidence Level	High
Impact Level	High
Likelihood Level	High

Description

If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn’t use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn’t validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.

Property
Language	apex
Severity
CWE	CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP	A03:2021 - Injection
Confidence Level	High
Impact Level	High
Likelihood Level	High

Description

If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn’t use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn’t validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.