Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-83 (Web页面属性中脚本转义处理不恰当) — Vulnerability Class 12

12 vulnerabilities classified as CWE-83 (Web页面属性中脚本转义处理不恰当). AI Chinese analysis included.

CWE-83 represents a critical input validation weakness where web applications fail to properly sanitize dangerous attributes within HTML tags, such as onmouseover, onload, or style. Attackers typically exploit this vulnerability by injecting malicious JavaScript code directly into these attributes, bypassing standard content filters that only check the tag body. This allows for Cross-Site Scripting (XSS) attacks, enabling the execution of arbitrary scripts in the victim’s browser to steal session cookies, deface websites, or redirect users to phishing sites. To prevent this, developers must implement rigorous output encoding and strict input validation that specifically targets attribute values. Utilizing robust security libraries that automatically escape special characters and enforcing Content Security Policy headers further mitigates the risk by restricting the execution of unauthorized scripts, ensuring that user-supplied data remains inert within the DOM structure.

MITRE CWE Description
The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE IDTitleCVSSSeverityPublished
CVE-2026-23516 CVAT vulnerable to XSS via skeleton SVG images — cvat 6.5AIMediumAI2026-01-21
CVE-2026-22849 Saleor lacks proper HTML sanitization in rich text fields — saleor 5.4AIMediumAI2026-01-21
CVE-2025-4615 PAN-OS: Improper Neutralization of Input in the Management Web Interface — Cloud NGFW 7.2AIHighAI2025-10-09
CVE-2025-0137 PAN-OS: Improper Neutralization of Input in the Management Web Interface — Cloud NGFW 7.2AIHighAI2025-05-14
CVE-2025-0125 PAN-OS: Improper Neutralization of Input in the Management Web Interface — Cloud NGFW 7.2AIHighAI2025-04-11
CVE-2024-9103 Persistent XSS in blocked messages — Email Security 6.1 Medium2025-03-24
CVE-2025-27145 copyparty renders unsanitized filenames as HTML when user uploads empty files — copyparty 3.6 Low2025-02-25
CVE-2023-37908 org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability — xwiki-rendering 9.1 Critical2023-10-25
CVE-2023-30958 DOM XSS in Developer mode dashboard via redirect GET parameter — com.palantir.foundry:foundry-frontend 4.7 Medium2023-08-03
CVE-2023-32070 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers — xwiki-rendering 9.1 Critical2023-05-10
CVE-2022-39262 Stored Cross-Site Scripting (XSS) on login page in GLPI — glpi 5.2 Medium2022-11-03
CVE-2020-14525 Philips Clinical Collaboration Platform Improper Neutralization of Script in Attributes in a Web Page — Clinical Collaboration Platform 3.5 Low2020-09-18

Vulnerabilities classified as CWE-83 (Web页面属性中脚本转义处理不恰当) represent 12 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.