gitlab.bandit.B308.B703

385

Download Count*

License

'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B308.B703
    patterns:
      - pattern-not-inside: django.utils.html.format_html(...)
      - pattern: django.utils.safestring.mark_safe(...)
    message: |
      'mark_safe()' is used to mark a string as "safe" for HTML output.
      This disables escaping and could therefore subject the content to
      XSS attacks. Use 'django.utils.html.format_html()' to build HTML
      for rendering instead.
    metadata:
      cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation
        ('Cross-site Scripting')"
      owasp: "A7: Cross-Site Scripting (XSS)"
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/58xj