CME-1306

XSS Prevention (Context-Aware Output Encoding)

Harden Application High Confidence

Description

Application applies context-aware output encoding to all user-controlled data before rendering in HTML, JavaScript, CSS, or URL contexts. Uses framework auto-escaping (Django, Jinja2 autoescape, React JSX) rather than manual sanitization. Combined with CSP headers (CME-905), provides defense-in-depth against XSS.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H XSS payloads are HTML-encoded and rendered as text, not executed
Integrity (I) H L Cannot inject scripts to modify page behavior or steal session tokens

CWE Relationships

CWE-79

Verification

Verify template engine auto-escaping is enabled and no raw/safe bypasses for user-controlled data

$ grep -rn 'autoescape\|AUTOESCAPE' <app_source>/
# Expected: Auto-escaping enabled in template config
Platform: any
← CME-1305: SQL Injection Prevention (Parameterized Queries) CME-1307: Command Injection Prevention (No Shell Invocation) →