# Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Stack:** Python

- Prevalence: 高 頻繁に悪用される
- Impact: クリティカル 1 件の重大度クリティカルなルール
- Prevention: 文書化済み 4 件の修正例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

## Prevention

1 件の Shoulder 検出ルールに基づく Cross-Site Scripting (XSS) の予防策。

### Python

Use template rendering with auto-escaping or html.escape() for manual escaping

## Warning Signs

- [HIGH] untrusted user input being rendered in HTML responses without proper
escaping

## Consequences

- 未承認コードの実行
- 保護メカニズムの回避
- アプリケーションデータの読み取り
- アプリケーションデータの変更

## Mitigations

- この脆弱性を許可しない、検証済みのライブラリまたはフレームワークを使用する
- データが使用されるコンテキストと期待されるエンコーディングを理解する
- 影響を軽減するために Content Security Policy (CSP) を使用する

## Detection

- Total rules: 4
- Critical: 1
- Languages: javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Cross-Site Scripting (XSS) in Templates** [HIGH]: Detects untrusted user input being rendered in HTML responses without proper
escaping.
  - Remediation: Use template rendering with auto-escaping, or escape manually with html.escape().

```python
import html
safe_text = html.escape(user_input)
```

Learn more: https://shoulder.dev/learn/python/cwe-79/xss