python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape

Community Favorite
profile photo of returntocorpreturntocorp
Author
48,200
Download Count*
LGPL Commons Clause
License

This rule is deprecated. It will no longer produce findings.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: template-translate-no-escape
    languages:
      - generic
    severity: INFO
    message: This rule is deprecated. It will no longer produce findings.
    patterns:
      - pattern: a()
      - pattern: b()
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
        - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
      category: security
      technology:
        - django
      deprecated: true
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

template-translate-no-escape.html

<title>{% translate "This is the title." %}</title>
<title>{% translate myvar %}</title>
<title>{% trans foobar %}</title>

{% translate "This is the title" as the_title %}
<title>{{ the_title | force_escape }}</title>

<div>
    {% filter force_escape %}
    <title>{% translate "This is the title." %}</title>
    {% endfilter %}
</div>