Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The application uses mako templates without proper input neutralization, which could lead to Cross-Site Scripting (XSS) attacks when rendering user-supplied input. To prevent this, custom mako filters should be used to escape or encode user input depending on the context.
Examples
Insecure Code
python
t = Template(template_text)Secure Code
python
t = Template(template_text, default_filters=['h'], imports=['from filters import escape_link, escape_js'])Remediation
Implement custom mako filters to escape or encode user input, such as the `escape_link` and `escape_js` functions provided in the example, and pass `default_filters` to the `Template` or `TemplateLookup` constructors.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0143 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, cross-site scripting, input validation |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |