Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using unquoted template variables as HTML attribute values can allow user input to break out of the attribute and inject malicious JavaScript. Always wrap template expressions in quotes to prevent this type of injection.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers (XSS), potentially stealing session cookies, impersonating users, or modifying site content. This can lead to data breaches, account compromise, and damage to user trust.