Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Rendering HTML content from dynamic or user-supplied input directly into the DOM (e.g., using document.write, insertAdjacentHTML) without sanitization exposes your app to Cross-Site Scripting (XSS) attacks. Always sanitize HTML input before rendering it in React applications.
Impact#
If exploited, attackers can inject malicious scripts that run in your users’ browsers, leading to data theft, session hijacking, defacement, or spreading malware. This can compromise user trust, violate privacy, and potentially harm your application’s reputation and security.