Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Disabling HTML entity escaping in JSON responses allows untrusted user input to be included in JSON output without proper sanitization. This means special HTML characters aren’t encoded, making it easier for attackers to inject malicious scripts.

Impact#

If exploited, attackers could perform cross-site scripting (XSS) by injecting scripts into JSON responses, which can lead to session hijacking, data theft, or manipulation of the application’s content for users viewing the affected pages.