SYM_PY_0193 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Extending Django's 'SafeString', 'SafeText', or 'SafeData' classes disables automatic HTML escaping, which can allow untrusted data to be rendered as raw HTML. This practice can easily introduce cross-site scripting (XSS) vulnerabilities if any user input is included.
Impact
If exploited, attackers could inject malicious scripts into web pages, leading to data theft, session hijacking, or defacement. This compromises user trust and can result in serious security breaches affecting both users and the organization.