Markup Escaping Disabled
Description
Markup escaping is disabled, which can be used with some template engines to escape disabling of HTML entities, leading to XSS attacks.
Examples
Insecure Code
javascript
$OBJ.escapeMarkup = false;Secure Code
javascript
$OBJ.escapeMarkup = true;Remediation
Enable markup escaping to prevent XSS attacks. Set $OBJ.escapeMarkup to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0431 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-116 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, template engine |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |