SYM_RB_0055 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using 'render text:' in Rails sets the response content-type to 'text/html', which means any user-supplied data rendered this way can be interpreted as HTML. This can allow attackers to inject malicious scripts if external input is included, leading to cross-site scripting (XSS) vulnerabilities.
Impact
If exploited, an attacker could execute malicious JavaScript in users’ browsers, leading to data theft, session hijacking, or defacement of your application. This compromises user trust, can expose sensitive information, and may result in regulatory or reputational damage.