Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The EJS template uses the ‘<%- … %>’ syntax to output unescaped content, which means any user-provided data rendered here will not be sanitized and could include malicious scripts. This exposes your application to cross-site scripting (XSS) attacks when external or unsanitized data is displayed without escaping.
Impact#
If exploited, an attacker could inject malicious JavaScript into your web pages, leading to session hijacking, data theft, redirection to malicious sites, or the execution of unwanted actions on behalf of users. This can compromise user trust, lead to data breaches, and potentially damage your application’s reputation.