Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using flask.make_response() to return raw or unescaped HTML content can expose your application to cross-site scripting (XSS) attacks, as it does not automatically escape user input. To prevent this, use flask.render_template() for HTML responses or flask.jsonify() for API data.
Impact#
If exploited, attackers could inject malicious scripts into your web pages, leading to theft of user data (like cookies or credentials), defacement, or unauthorized actions performed on behalf of users. This can compromise user trust, result in data breaches, and potentially violate compliance requirements.