Paged Out #6 [pdf]

The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.

It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.

Thanks! I'll pass this to the author.

Out of curiosity I've started looking in Django docs (I'm more of a flask person myself), and they seems to confirm what you're saying. More to the point, the `strings` are the main issue. The default autoescape actually encodes ' and " as HTML entities, but doesn't encode a backslash, so leaving a \ at end of a ' or " string would escape the string ending - this would be exploitable if the attacker controls two strings of the same "type' in a row.

I guess this is the proper way to do it: https://docs.djangoproject.com/en/5.1/ref/templates/builtins...

Thanks @GICodeWarrior for taking time commenting on the article. Shamefully, I can already imagine a scenario on how the attack could be carried out. Fortunately, the vulnerability can be corrected by introducing escapejs template filter. Big thanks to @gynvael.

All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.

Simple JSON encoding alone is not sufficient if you put the output into a <script> tag.

<script>const user_input = "</script><script>alert(1)//"; ...

Encoding for each scenario can be quite complex unfortunately. Django does have some template filters to help.

I recommend following the documentation carefully, and using a JSON API or other similarly standard mechanism if the documented options are insufficient.

If you're interested to explore lots of XSS edge cases, I've found this CTF to be enjoyable.

https://alf.nu/alert1