Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using the html_safe() decorator in Django marks data as safe for HTML rendering, bypassing automatic escaping. This can allow untrusted or user-supplied input to be rendered directly in templates, making your application vulnerable to XSS attacks.
Impact#
If exploited, attackers could inject malicious scripts into your web pages, leading to data theft, session hijacking, or defacement. This not only puts user data at risk but can also damage your application’s reputation and security compliance.