SYM_GO_0034 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using functions like template.HTML(), template.JS(), or template.CSS() with non-constant or user-controlled input skips automatic escaping, which can lead to unsafe content being injected into templates. This allows attackers to include malicious scripts or HTML in your web pages.
Impact
If exploited, attackers could execute arbitrary JavaScript in users' browsers (Cross-Site Scripting), leading to data theft, session hijacking, or defacement of your application. This compromises user trust and may put sensitive data and accounts at risk.