Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description#

Rendering user data directly to the response in Pyramid without using a template engine bypasses built-in protections against cross-site scripting (XSS). This means user input could be included in HTML output without proper sanitization.

Impact#

If exploited, attackers could inject malicious scripts into your web pages, allowing them to steal user data, hijack sessions, or deface your site. This exposes both your users and your application to significant security risks, including data theft and loss of trust.