SYM_GEN_0018 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using 'html_safe' in Rails views disables automatic HTML escaping, which can allow untrusted user input to be rendered as raw HTML. If any user-controlled data is marked as 'html_safe', it can introduce serious security risks.
Impact
If exploited, attackers can inject malicious scripts (XSS) into your web pages, leading to data theft, account compromise, or defacement. This can undermine user trust, expose sensitive information, and potentially allow attackers to act on behalf of users in your application.