Improper Neutralization of Escape, Meta, or Control Sequences
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Disabling HTML escaping in a web template (e.g., using escape=false) allows untrusted data to be rendered as raw HTML. This makes it easy for malicious scripts to be injected and executed in the user’s browser.
Impact#
If exploited, attackers can perform cross-site scripting (XSS) attacks, stealing user data, hijacking sessions, or defacing the site. This compromises user trust and can expose sensitive information or allow further attacks against your application and its users.