Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Directly returning formatted strings in Flask routes, especially with user input, can allow attackers to inject malicious HTML or JavaScript. Instead, use Flask’s template engine (render_template) to safely render responses and automatically escape user input.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers (cross-site scripting), leading to stolen session cookies, account compromise, defacement, or spreading malware to your users. This can damage user trust and expose sensitive data.