# Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Stack:** Python

- Prevalence: 高 频繁被利用
- Impact: 关键 1 条严重级别为关键的规则
- Prevention: 已记录 4 个修复示例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Cross-site scripting (XSS) vulnerabilities occur when untrusted data enters a web application and is sent to a web browser without proper validation or encoding. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

## Prevention

基于 1 条 Shoulder 检测规则的 Cross-Site Scripting (XSS) 预防策略。

### Python

Use template rendering with auto-escaping or html.escape() for manual escaping

## Warning Signs

- [HIGH] untrusted user input being rendered in HTML responses without proper
escaping

## Consequences

- 执行未授权代码
- 绕过保护机制
- 读取应用程序数据
- 修改应用程序数据

## Mitigations

- 使用经过审查的库或框架,以防止此弱点
- 理解数据将被使用的上下文以及预期的编码方式
- 使用 Content Security Policy (CSP) 降低影响

## Detection

- Total rules: 4
- Critical: 1
- Languages: javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Cross-Site Scripting (XSS) in Templates** [HIGH]: Detects untrusted user input being rendered in HTML responses without proper
escaping.
  - Remediation: Use template rendering with auto-escaping, or escape manually with html.escape().

```python
import html
safe_text = html.escape(user_input)
```

Learn more: https://shoulder.dev/learn/python/cwe-79/xss