Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property	Value
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

Rendering HTML content from dynamic or user-supplied input directly into the DOM (e.g., using document.write, insertAdjacentHTML) without sanitization exposes your app to Cross-Site Scripting (XSS) attacks. Always sanitize HTML input before rendering it in React applications.

Impact

If exploited, attackers can inject malicious scripts that run in your users’ browsers, leading to data theft, session hijacking, defacement, or spreading malware. This can compromise user trust, violate privacy, and potentially harm your application's reputation and security.