Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ‘render inline:’ in Rails allows entire ERB templates to be rendered directly from strings, which can expose your app to security risks if any user input is included. This can lead to attackers injecting malicious code that gets executed or displayed in the browser.
Impact#
If exploited, attackers could execute arbitrary code on the server (server-side template injection) or inject scripts into pages viewed by other users (cross-site scripting). This could result in data theft, account compromise, or even full control over the server, seriously affecting user trust and application security.