Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Rails’ ‘content_tag’ helper can unintentionally allow unescaped user input into HTML, especially for tag and attribute names or when rendering raw HTML. This creates a risk where attackers could inject malicious scripts into your pages.
Impact#
If exploited, attackers could perform cross-site scripting (XSS), allowing them to steal user data, hijack sessions, or deface your website. This compromises user trust and can lead to data breaches or compliance violations.