Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Using unsanitized template variables directly in the ’link_to’ helper can allow user-controlled data to end up in the href attribute. This makes it possible for attackers to inject malicious URLs, such as those starting with ‘javascript:’, leading to security risks.

Impact#

If exploited, attackers could perform cross-site scripting (XSS) by injecting malicious scripts into links. This can lead to session hijacking, data theft, or users being tricked into performing unintended actions, compromising both user security and application integrity.