Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input is being passed directly into the body or URL of Rails’ link_to helper without proper escaping or validation. This can allow attackers to inject malicious content or scripts into generated links.
Impact#
If exploited, an attacker could perform Cross-Site Scripting (XSS) by injecting JavaScript or other harmful code, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of users. It undermines application trust and can result in data breaches or compromise of user accounts.