python.django.security.audit.xss.template-autoescape-off.template-autoescape-off
Community Favorite
semgrep
Author
49,007
Download Count*
License
Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using mark_safe
in Python code.
Run Locally
Run in CI
Defintion
rules:
- id: template-autoescape-off
message: Detected a template block where autoescaping is explicitly disabled
with '{% autoescape off %}'. This allows rendering of raw HTML in this
segment. Turn autoescaping on to prevent cross-site scripting (XSS). If
you must do this, consider instead, using `mark_safe` in Python code.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
paths:
include:
- "*.html"
severity: WARNING
pattern-regex: "{%\\s+autoescape\\s+off\\s+%}"
Examples
template-autoescape-off.html
<h4>From: {{ from_email }}</h4>
<h4>To:
{% for recipient in recipients %}
{{ recipient }}
{% endfor %}
</h4>
<h4>Subject: {{subject}}</h4>
<div class="email-html" style="display: block;">
<!-- ruleid: template-autoescape-off -->
{% autoescape off %}
{{ html_message }}
{% endautoescape %}
</div>
<div class="email-text" style="display: none;">
<pre>{{ body }}</pre>
</div>
<hr>
Short Link: https://sg.run/Q5WZ