Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using functions like template.HTML(), template.JS(), or template.CSS() with non-constant or user-controlled input skips automatic escaping, which can lead to unsafe content being injected into templates. This allows attackers to include malicious scripts or HTML in your web pages.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers (Cross-Site Scripting), leading to data theft, session hijacking, or defacement of your application. This compromises user trust and may put sensitive data and accounts at risk.