Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Rails’ content_tag() can bypass automatic HTML escaping, allowing untrusted data to be rendered directly in the browser. If external input reaches content_tag() without proper sanitization, it can introduce cross-site scripting (XSS) vulnerabilities.
Impact#
An attacker could inject malicious scripts into your application’s pages, potentially stealing user data, hijacking sessions, or defacing the site. This can compromise user trust, lead to data breaches, and expose your organization to legal and reputational risks.