# Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Stack:** Python

- Prevalence: Élevée Fréquemment exploitée
- Impact: Critique 1 règles de sévérité critique
- Prevention: Documentée 4 exemples de correctifs

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

## Prevention

Stratégies de prévention pour Cross-Site Scripting (XSS) basées sur 1 règles de détection Shoulder.

### Python

Use template rendering with auto-escaping or html.escape() for manual escaping

## Warning Signs

- [HIGH] untrusted user input being rendered in HTML responses without proper
escaping

## Consequences

- Exécuter du code non autorisé
- Contourner le mécanisme de protection
- Lecture des données de l'application
- Modification des données de l'application

## Mitigations

- Utilisez une bibliothèque ou un framework éprouvé qui empêche cette faiblesse
- Comprenez le contexte dans lequel vos données seront utilisées et l'encodage attendu
- Utilisez Content Security Policy (CSP) pour atténuer l'impact

## Detection

- Total rules: 4
- Critical: 1
- Languages: javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Cross-Site Scripting (XSS) in Templates** [HIGH]: Detects untrusted user input being rendered in HTML responses without proper
escaping.
  - Remediation: Use template rendering with auto-escaping, or escape manually with html.escape().

```python
import html
safe_text = html.escape(user_input)
```

Learn more: https://shoulder.dev/learn/python/cwe-79/xss