Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User data is being inserted into HTML attributes using template.HTMLAttr() without proper escaping or sanitization. This allows potentially unsafe input to be included directly in HTML, increasing the risk of cross-site scripting (XSS).
Impact#
If exploited, an attacker could inject malicious scripts into your web page, leading to session hijacking, data theft, or manipulation of page content. This compromises user trust and can expose sensitive information or allow further attacks against your application and its users.