Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using unescaped variables with ‘&attributes’ in Pug templates can let untrusted data be injected directly into HTML attributes. This opens the door for attackers to insert malicious scripts if external data is passed here.
Impact#
If exploited, an attacker could execute JavaScript in users’ browsers (XSS), potentially stealing session cookies, impersonating users, or defacing the site. This can lead to data breaches, loss of user trust, and compliance issues for your application.