SYM_JSTS_0011 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using React's dangerouslySetInnerHTML with dynamic or user-provided data can expose your app to cross-site scripting (XSS) attacks. This happens when unsanitized HTML is injected directly into the DOM, allowing attackers to run malicious scripts.
Impact
If exploited, attackers could steal user data, hijack sessions, or deface your site by executing malicious JavaScript in your users' browsers. This compromises user trust and can lead to data breaches or compliance violations.