SYM_JSTS_0170 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Directly inserting user input into DOM elements using angular.element methods like .html(), .append(), or .prepend() without proper sanitization or encoding can introduce cross-site scripting (XSS) risks. Untrusted data should always be sanitized or encoded before being rendered as HTML.
Impact
If exploited, attackers could inject malicious scripts into your application's pages, allowing them to steal user data, hijack sessions, or deface the site. This can lead to data breaches, compromised user accounts, and loss of trust in your application.