Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Autoescaping is globally turned off in your Django templates, which means user input is not automatically escaped when rendered on web pages. This makes it easy for attackers to inject malicious scripts into your site.

Impact#

If exploited, an attacker could execute cross-site scripting (XSS) attacks, allowing them to steal user data, hijack sessions, or deface pages. This can compromise user security and trust, potentially leading to data breaches or regulatory violations.