Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using the {% blocktranslate %} or {% blocktrans %} tags in Django templates without escaping allows translators to insert unescaped HTML or scripts into rendered pages. This can lead to malicious code being executed if the translation contains harmful content.
Impact#
If exploited, attackers could inject scripts through translation files, resulting in cross-site scripting (XSS) attacks. This may compromise user data, allow account hijacking, or let attackers perform unauthorized actions as other users, undermining the application’s security and user trust.