SYM_GEN_0027 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using triple braces '{{{...}}}' or ampersand '&' in Mustache templates disables HTML escaping, which means any data rendered here is inserted as raw HTML. If user-supplied or external data reaches these spots, it can introduce malicious scripts into your web pages.
Impact
Attackers could inject JavaScript or other malicious code into your application's pages, leading to cross-site scripting (XSS) attacks. This may let them steal user sessions, deface the site, or perform actions on behalf of users, putting both your users and your organization's reputation at risk.