gitlab.bandit.B308.B703
385
Download Count*
License
'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.
Run Locally
Run in CI
Defintion
rules:
- id: bandit.B308.B703
patterns:
- pattern-not-inside: django.utils.html.format_html(...)
- pattern: django.utils.safestring.mark_safe(...)
message: |
'mark_safe()' is used to mark a string as "safe" for HTML output.
This disables escaping and could therefore subject the content to
XSS attacks. Use 'django.utils.html.format_html()' to build HTML
for rendering instead.
metadata:
cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp: "A7: Cross-Site Scripting (XSS)"
license: MIT
severity: WARNING
languages:
- python
Short Link: https://sg.run/58xj