Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code injects variables directly into HTML using the Html() method without proper sanitization, which can allow untrusted input to be rendered as raw HTML. This practice risks exposing your application to cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers could inject malicious scripts into your web pages, potentially stealing user sessions, sensitive data, or performing actions on behalf of users. This can compromise user trust, expose confidential information, and lead to regulatory or reputational damage.