Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ‘html_safe’ in Rails views disables automatic HTML escaping, which can allow untrusted user input to be rendered as raw HTML. If any user-controlled data is marked as ‘html_safe’, it can introduce serious security risks.
Impact#
If exploited, attackers can inject malicious scripts (XSS) into your web pages, leading to data theft, account compromise, or defacement. This can undermine user trust, expose sensitive information, and potentially allow attackers to act on behalf of users in your application.