Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using mark_safe() in Django marks a string as safe for HTML output, disabling automatic escaping. If user-controlled input is marked safe, it can introduce security risks like Cross-Site Scripting (XSS).
Impact#
An attacker could inject malicious scripts into your web pages, leading to stolen user data, session hijacking, or defacement. This compromises user trust and may expose sensitive information or allow further attacks on your application.