SYM_RB_0048 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Rails' content_tag() can bypass automatic HTML escaping, allowing untrusted data to be rendered directly in the browser. If external input reaches content_tag() without proper sanitization, it can introduce cross-site scripting (XSS) vulnerabilities.
Impact
An attacker could inject malicious scripts into your application's pages, potentially stealing user data, hijacking sessions, or defacing the site. This can compromise user trust, lead to data breaches, and expose your organization to legal and reputational risks.