Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
When using Flask, templates not ending with .html, .htm, .xml, or .xhtml extensions are not automatically escaped. This means user input in these templates may be rendered without proper HTML escaping, making the code vulnerable to cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers could inject malicious scripts into web pages served by your application, potentially stealing user data, hijacking sessions, or defacing your site. This exposes users and the organization to data breaches, loss of trust, and compliance violations.