(pagedout.institute)

306 points pcfwik | 2 comments | 29 Mar 25 18:12 UTC | HN request time: 0s | source

Show context

GICodeWarrior ◴[29 Mar 25 23:17 UTC] No.43519636[source]▶

The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.

It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.

replies(2): >>43522190 #>>43522535 #

1. elsadek ◴[30 Mar 25 08:46 UTC] No.43522535[source]▶

>>43519636 #

Thanks @GICodeWarrior for taking time commenting on the article. Shamefully, I can already imagine a scenario on how the attack could be carried out. Fortunately, the vulnerability can be corrected by introducing escapejs template filter. Big thanks to @gynvael.

replies(1): >>43526099 #

2. GICodeWarrior ◴[30 Mar 25 17:56 UTC] No.43526099[source]▶

>>43522535 (TP) #

Encoding for each scenario can be quite complex unfortunately. Django does have some template filters to help.

I recommend following the documentation carefully, and using a JSON API or other similarly standard mechanism if the documented options are insufficient.

↑

Paged Out #6 [pdf]