Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using the HtmlString class in ASP.NET Core MVC to render HTML without encoding untrusted input exposes your application to cross-site scripting (XSS) attacks. Any data passed to HtmlString should always be properly encoded before rendering to prevent malicious scripts from being injected.
Impact#
If exploited, an attacker could inject malicious JavaScript or HTML into your web page, potentially stealing user data, hijacking sessions, or defacing the site. This can lead to compromised user accounts, loss of trust, and regulatory consequences for your organization.