Cross-Site Scripting (XSS) via Improper Neutralization of Input
Description
The code is vulnerable to Cross-Site Scripting (XSS) attacks due to improper neutralization of input during web page generation. User input must be encoded, sanitized, or validated to prevent it from being treated as HTML or executed as JavaScript code.
Examples
Insecure Code
python
django.utils.safestring.mark_safe('<li><a href=\'{}\'>Some Link</a></li>'.format(href))Secure Code
python
format_html('<li><a href=\'{}\'>Some Link</a></li>', href)Remediation
Use `django.utils.html.format_html` instead of `django.utils.safestring` methods to create HTML links and ensure user input is encoded automatically.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0814 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, injection |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |