SYM_JSTS_0021 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Accepting user input and rendering it as HTML in Monaco Editor hovers with 'supportHtml' enabled can allow malicious scripts to execute in the browser. Avoid using untrusted or dynamic user input to generate hover content when HTML support is on.
Impact
If exploited, attackers could inject and run arbitrary JavaScript in users' browsers (XSS), potentially stealing session data, hijacking accounts, or compromising the integrity of your application and its users.