python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape

Community Favorite
profile photo of semgrepsemgrep
Author
48,153
Download Count*

Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using force_escape to explicitly escape a translated text.

Run Locally

Run in CI

Defintion

rules:
  - id: template-translate-as-no-escape
    languages:
      - generic
    severity: INFO
    message: Translated strings will not be escaped when rendered in a template.
      This leads to a vulnerability where translators could include malicious
      script tags in their translations. Consider using `force_escape` to
      explicitly escape a translated text.
    patterns:
      - pattern-either:
          - pattern: |
              {% translate ... as $TRANS ... %}
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              {{ ... $TRANS ... }}
          - pattern: |
              {% trans ... as $TRANS ... %}
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              ...
              {{ ... $TRANS ... }}
      - pattern-not: |
          {% translate ... as $TRANS ... %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {{ ... $TRANS ... | ... force_escape ... }}
      - pattern-not: |
          {% trans ... as $TRANS ... %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {{ ... $TRANS ... | ... force_escape ... }}
      - pattern-not: |
          {% translate ... as $TRANS ... %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {% filter force_escape %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {{ ... $TRANS ... }}
      - pattern-not: |
          {% trans ... as $TRANS ... %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {% filter force_escape %}
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          ...
          {{ ... $TRANS ... }}
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
        - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
      category: security
      technology:
        - django
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)

Examples

template-translate-as-no-escape.html

<!-- ruleid: template-translate-as-no-escape -->
{% translate "Hello world" as the_title %}
<div>
<h1>{{ the_title }}</h1>
</div>

<!-- ruleid: template-translate-as-no-escape -->
{% trans "Hello world" as title %}
<p>{{ title }}</p>

<!-- ok: template-translate-as-no-escape -->
{% translate "Hello world" as foo %}
<h1>{{foo | force_escape}}</h1>

<!-- ok: template-translate-as-no-escape -->
{% translate "Hello world" as bar %}
<div>
{% filter force_escape %}
<h1>{{ bar }}</h1>
{% endfilter %}
</div>