Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Property	Value
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

Rendering user data directly to the response in Pyramid without using a template engine bypasses built-in protections against cross-site scripting (XSS). This means user input could be included in HTML output without proper sanitization.

Impact

If exploited, attackers could inject malicious scripts into your web pages, allowing them to steal user data, hijack sessions, or deface your site. This exposes both your users and your application to significant security risks, including data theft and loss of trust.