Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from the browser’s location (such as URL parameters or fragments) is being directly inserted into HTML strings without proper sanitization. This can allow attackers to inject malicious scripts into the page.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers (XSS), leading to stolen data, account compromise, or unauthorized actions on behalf of users. This threatens user safety and can damage trust in the application.