Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The template uses the ‘| safe’ filter in Flask to disable autoescaping, which allows raw HTML to be rendered. If any user-supplied data is passed through this filter, it can lead to cross-site scripting (XSS) vulnerabilities.
Impact#
If exploited, an attacker could inject malicious scripts into the page, allowing them to steal user data, hijack sessions, or perform actions on behalf of users. This can compromise user accounts and damage the application’s reputation.