Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Overwriting the Mustache escape function disables the template engine’s automatic HTML escaping, making it easy for malicious input to be rendered directly into pages. This removes an important safeguard against injecting unsafe content.
Impact#
If exploited, attackers could inject malicious scripts (XSS) into your application’s output, leading to data theft, session hijacking, or defacement. This undermines user trust and can expose sensitive data or allow attackers to take actions on behalf of users.