Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ‘render text:’ in Rails sets the response content-type to ’text/html’, which means any user-supplied data rendered this way can be interpreted as HTML. This can allow attackers to inject malicious scripts if external input is included, leading to cross-site scripting (XSS) vulnerabilities.
Impact#
If exploited, an attacker could execute malicious JavaScript in users’ browsers, leading to data theft, session hijacking, or defacement of your application. This compromises user trust, can expose sensitive information, and may result in regulatory or reputational damage.