Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Invalid HTML Content

Last Updated: Apr 22, 2017 12:26AM CEST

The Content Type header is set to text/html, which means that web browsers will try to parse the data as HTML. However, the data received is not actually HTML, which is why we believe this was a mistake. This is not necessary a security issue, but could lead to the browser trying to parse data that should not be parsed.

What can happen?

Depending on the situation this could lead to an XSS vulnerability. This means that an attacker might be able to execute JavaScript under the vulnerable site’s domain. Read our article about XSS for more detailed description of the risks.

Example

This vulnerability often exists in callbacks. If the value of the callback parameter is printed directly on the page without first being sanitized together with Content Type set to text/html, this will result in an XSS vulnerability.

However, this finding also occurs if the developer has left files with just text in them, or error pages without proper HTML. These cases are not a security issue and can be marked as Accepted Risk to filter them out from future reports.

Remediation

Add the Content Type header correctly. If you believe this has no security implications for your website, you can let it be and mark the finding as Accepted Risk, so that we do not warn you about it in future scans.

When in doubt, just send an email to support@detectify.com and we will try to clear up any questions.

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete