Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using the raw() method in Rails disables automatic HTML escaping, which means any untrusted data rendered this way can include malicious scripts. This exposes your application to cross-site scripting (XSS) vulnerabilities if user input is displayed using raw().
Impact#
If exploited, attackers can inject malicious JavaScript into your webpages, potentially stealing user credentials, hijacking sessions, or defacing your site. This can lead to loss of user trust, data breaches, and compliance violations for your organization.