Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Extending Django’s ‘SafeString’, ‘SafeText’, or ‘SafeData’ classes disables automatic HTML escaping, which can allow untrusted data to be rendered as raw HTML. This practice can easily introduce cross-site scripting (XSS) vulnerabilities if any user input is included.

Impact#

If exploited, attackers could inject malicious scripts into web pages, leading to data theft, session hijacking, or defacement. This compromises user trust and can result in serious security breaches affecting both users and the organization.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Description#

Impact#