Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Manually creating ERB templates in code can introduce security risks, especially if user input is included in the template content. This practice may lead to server-side template injection (SSTI) or cross-site scripting (XSS) vulnerabilities.
Impact#
If exploited, attackers could execute malicious code on the server or inject harmful scripts into web pages, potentially leading to data theft, account compromise, or unauthorized access to sensitive information. This can severely damage user trust and the security of the application.