Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User-controlled or dynamic data is being inserted into template.HTML() without proper escaping. This allows untrusted input to be rendered as raw HTML in web pages, creating a security risk.
Impact#
If exploited, an attacker could inject malicious scripts (XSS) into the application, potentially stealing user credentials, hijacking sessions, or spreading malware to users. This can undermine user trust and expose sensitive data.