Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Using the $STR.replace method with a string as the first argument only replaces the first match, not all instances. If this approach is used for sanitizing or escaping user input, dangerous characters elsewhere in the string might remain unescaped, leading to incomplete protection.
Impact#
Attackers could exploit this incomplete sanitization to inject malicious code, such as cross-site scripting (XSS) payloads, by placing dangerous characters beyond the first occurrence. This can compromise user data, allow session hijacking, or enable further exploitation of the application.