Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Directly using Jinja2 templates in Flask (e.g., with jinja2.Environment or jinja2.Template.render) can bypass Flask’s built-in HTML escaping, making it easy to introduce XSS vulnerabilities. It’s safer to use Flask’s render_template() with ‘.html’ templates to ensure proper output sanitization.
Impact#
If exploited, attackers could inject malicious scripts into web pages, leading to theft of user data, session hijacking, or defacement of the site. This exposes both users and the organization to data breaches, reputational harm, and potential legal consequences.