SYM_PY_0187 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using 'is_safe=True' in a Django template filter tells Django not to escape the filter's output, which can accidentally allow untrusted HTML or JavaScript into pages. If the filter modifies input or uses external data, this can create security risks.
Impact
If exploited, attackers could inject malicious scripts via the unescaped output, leading to cross-site scripting (XSS) attacks. This can compromise user data, hijack accounts, or allow attackers to perform actions on behalf of users, putting both users and the application at risk.