Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property	Value
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Passing a formatted string (such as an f-string or a result of .format()) as the first argument to Django's format_html bypasses automatic HTML escaping. This can let unsafe user input be inserted directly into HTML, leading to vulnerabilities.

Impact

An attacker could inject malicious scripts (XSS) into your web pages, potentially stealing user data, hijacking sessions, or defacing the site. This compromises user trust and may expose sensitive information or enable further attacks on your application and users.