Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Interpolating variables directly into HTML template literals without encoding can allow untrusted content to be rendered as HTML. This means that if the variable contains malicious code, it could be executed in the browser.
Impact#
If exploited, an attacker could inject malicious scripts (XSS) into your web page, leading to data theft, session hijacking, or unauthorized actions performed on behalf of users. This can compromise user accounts and damage application trust.