Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Autoescaping is disabled in a Flask template segment, which means raw HTML—including any user-supplied content—can be rendered directly. This exposes the template to cross-site scripting (XSS) if user input is not strictly controlled.
Impact#
If an attacker manages to inject malicious scripts through user input, they could execute code in other users’ browsers, steal session cookies, hijack accounts, or perform actions on behalf of users. This can lead to data breaches, loss of user trust, and potential regulatory violations.