SYM_PY_0190 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Defining a html method in Django tells the template engine that your data is safe to render without escaping, which can unintentionally allow untrusted input to be output as raw HTML. This makes it easy to introduce cross-site scripting (XSS) vulnerabilities if any user-controlled data is returned.
Impact
If exploited, attackers could inject malicious scripts into your web pages, leading to data theft, session hijacking, or defacement of your site. This could compromise user data, damage your application's reputation, and expose your organization to compliance risks.