Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Passing user-controlled data directly to the createNodesFromMarkup function can allow untrusted HTML or scripts to be injected into the page. This practice opens the door to cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could execute malicious scripts in users’ browsers, potentially stealing session cookies, accessing sensitive data, or performing actions on behalf of users. This compromises user security and trust, and could lead to data breaches or regulatory issues.