SYM_GEN_0014 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Disabling autoescaping in Django templates with '{% autoescape off %}' allows raw user input to be rendered as HTML, making it easy to accidentally expose the application to XSS attacks. Autoescaping should remain enabled unless absolutely necessary.
Impact
If an attacker can inject malicious scripts into the rendered page, they could steal user data, hijack sessions, or perform actions on behalf of users. This can lead to data breaches, compromised accounts, and loss of user trust.