CVE-2026-29048: Insecure Widget Label Encoding Default
UI widgets or components that disable output encoding by default (e.g., `encodeLabel = false`) introduce Cross-Site Scripting (XSS) risks. In a secure-by-default architecture, components should encode text labels by default. Raw HTML output should only occur when it is explicitly configured during component invocation, not as a blanket default. Change the pr
PHPβgreprules fetch cve-2026-29048-insecure-widget-label-encoding-default --engine opengrepDescription
UI widgets or components that disable output encoding by default (e.g., `encodeLabel = false`) introduce Cross-Site Scripting (XSS) risks. In a secure-by-default architecture, components should encode text labels by default. Raw HTML output should only occur when it is explicitly configured during component invocation, not as a blanket default. Change the pr
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0