Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property
Language	regex
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Using unescaped output (with ‘!=’ or ‘!{…}’) in Pug templates directly inserts data into HTML without any filtering. If this includes user-controlled or external data, it can allow attackers to inject malicious scripts into your pages.

Impact#

Exploiting this vulnerability enables attackers to execute JavaScript in users’ browsers, leading to theft of session data, defacement, or phishing attacks. This can compromise user accounts, damage user trust, and expose sensitive information.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Description#

Impact#