python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq

Community Favorite
profile photo of returntocorpreturntocorp
Author
49,007
Download Count*

Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use mark_safe in your Python code.

Run Locally

Run in CI

Defintion

rules:
  - id: template-var-unescaped-with-safeseq
    message: Detected a template variable where autoescaping is explicitly disabled
      with '| safeseq' filter. This allows rendering of raw HTML in this
      segment. Ensure no user data is rendered here, otherwise this is a
      cross-site scripting (XSS) vulnerability. If you must do this, use
      `mark_safe` in your Python code.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq
      category: security
      technology:
        - django
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - regex
    paths:
      include:
        - "*.html"
    severity: WARNING
    pattern-regex: "{{.*?\\|\\s+safeseq(\\s+}})?"

Examples

template-var-unescaped-with-safeseq.html

{% block opengraph %}

<!-- safeseq probably isn't used this way, but it illustrates the point -->

<meta property="og:locale" content="en_US" />
<meta property="og:type" content="website" />
<meta property="og:site_name" content="semgrep" />
<meta property="og:description" content="content" />
<!-- ruleid: template-var-unescaped-with-safeseq -->
<meta property="og:image" content="{{ sequence_of_things | safeseq | join:','}}" />
<meta property="og:image:type" content="image/jpeg" />
<meta property="og:image:width" content="600" />
<meta property="og:image:height" content="600" />
<!-- ok: template-var-unescaped-with-safeseq -->
<meta property="not-real-only-for-testing" content="{{ safeseq }}" />

<!-- Google OAuth sign-in -->
<meta name="google-signin-scope" content="profile email openid">
<!-- ruleid: template-var-unescaped-with-safeseq -->
<meta name="google-signin-client_id" content="{{ client_id | safeseq }}">

{% endblock %}