python.django.security.audit.xss.context-autoescape-off.context-autoescape-off
Community Favorite
semgrepAuthor
49,007
Download Count*
License
Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.
Run Locally
Run in CI
Defintion
rules:
- id: context-autoescape-off
message: "Detected a Context with autoescape disabled. If you are rendering any
web pages, this exposes your application to cross-site scripting (XSS)
vulnerabilities. Remove 'autoescape: False' or set it to 'True'."
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://docs.djangoproject.com/en/3.1/ref/settings/#templates
- https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- python
severity: WARNING
patterns:
- pattern-either:
- pattern: |
{..., "autoescape": $FALSE, ...}
- pattern: |
$D["autoescape"] = $FALSE
- metavariable-pattern:
metavariable: $FALSE
pattern: |
False
- focus-metavariable: $FALSE
fix: |
True
Examples
context-autoescape-off.py
import base64
import mimetypes
import os
from django.core.urlresolvers import reverse
from django.http import HttpResponse
from django.shortcuts import redirect, render
from django.views.decorators.csrf import csrf_exempt
# adapted from https://github.com/mpirnat/lets-be-bad-guys/blob/7cbf11014bfc6dc9e199dc0b8a64e4597bc2338f/badguys/vulnerable/views.py#L95
def file_access(request):
msg = request.GET.get('msg', '')
# ok: context-autoescape-off
return render(request, 'vulnerable/injection/file_access.html',
{'msg': msg})
## 03 - XSS
def xss_form(request):
# ruleid: context-autoescape-off
env = {'qs': request.GET.get('qs', 'hello'), 'autoescape': False}
response = render(request, 'vulnerable/xss/form.html', env)
response.set_cookie(key='monster', value='omnomnomnomnom!')
return response
def xss_path(request, path='default'):
# ruleid: context-autoescape-off
env = {'autoescape': False, 'path': path}
return render(request, 'vulnerable/xss/path.html', env)
def xss_query(request):
# ruleid: context-autoescape-off
return render(request, 'vulnerable/xss/query.html', {'qs': request.GET.get('qs', 'hello'), "autoescape":False})
Short Link: https://sg.run/nd7Y