Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Using the ‘raw’ helper in Rails views outputs HTML without escaping it, which means any user-supplied content will be rendered as-is. If untrusted data reaches this point, it can lead to security issues.

Impact#

An attacker could inject malicious scripts into your web pages, potentially stealing user data, hijacking sessions, or defacing the site. This exposes your application and its users to cross-site scripting (XSS) attacks.