Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
When translated strings are rendered in templates without explicit escaping, malicious code (like script tags) can be inserted via translation files. This exposes the application to untrusted content being rendered as HTML.
Impact#
If exploited, attackers or compromised translation contributors could inject scripts into pages, leading to cross-site scripting (XSS) attacks. This can result in data theft, user session hijacking, or compromise of user accounts and application integrity.