Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Rendering JSON data directly in HTML using @Html.Raw without proper encoding can expose your application to cross-site scripting (XSS) attacks. Special characters in the JSON, like , may break out of script contexts and allow attackers to inject malicious scripts.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers, leading to data theft, session hijacking, or defacement. This compromises user trust and may result in data breaches or legal consequences for your organization.