Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Disabling autoescape in Django template contexts allows untrusted user input to be rendered as raw HTML. This bypasses Django’s built-in protections and can introduce cross-site scripting (XSS) vulnerabilities.
Impact#
If exploited, attackers could inject malicious scripts into your web pages, leading to data theft, account compromise, or unauthorized actions on behalf of users. This compromises user trust and may expose sensitive information or systems.