Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Rendering data directly to users using ‘HttpResponse’ in Django bypasses the framework’s automatic HTML escaping, making it easy to accidentally expose user input or untrusted data in the response. This can lead to unsafe content being delivered to browsers.
Impact#
If exploited, attackers could inject malicious scripts (XSS) into your web pages, which may steal user credentials, hijack sessions, or deface the site. This compromises user trust, can lead to data breaches, and may put your organization at risk of regulatory or reputational harm.