Paged Out #6 [pdf]

(pagedout.institute)

306 points pcfwik | 4 comments | 29 Mar 25 18:12 UTC | HN request time: 0.001s | source

Show context

GICodeWarrior ◴[29 Mar 25 23:17 UTC] No.43519636[source]▶

The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.

It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.

replies(2): >>43522190 #>>43522535 #

1. gynvael ◴[30 Mar 25 07:37 UTC] No.43522190[source]▶

>>43519636 #

Thanks! I'll pass this to the author.

Out of curiosity I've started looking in Django docs (I'm more of a flask person myself), and they seems to confirm what you're saying. More to the point, the `strings` are the main issue. The default autoescape actually encodes ' and " as HTML entities, but doesn't encode a backslash, so leaving a \ at end of a ' or " string would escape the string ending - this would be exploitable if the attacker controls two strings of the same "type' in a row.

I guess this is the proper way to do it: https://docs.djangoproject.com/en/5.1/ref/templates/builtins...

replies(2): >>43524059 #>>43526125 #

2. Kwpolska ◴[30 Mar 25 13:32 UTC] No.43524059[source]▶

>>43522190 (TP) #

All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.

replies(1): >>43526014 #

3. GICodeWarrior ◴[30 Mar 25 17:47 UTC] No.43526014[source]▶

>>43524059 #

Simple JSON encoding alone is not sufficient if you put the output into a <script> tag.

4. GICodeWarrior ◴[30 Mar 25 17:59 UTC] No.43526125[source]▶

>>43522190 (TP) #

If you're interested to explore lots of XSS edge cases, I've found this CTF to be enjoyable.

https://alf.nu/alert1

↑