minusworld.django-xss

r2c

Author

Download Count*

LGPL Commons Clause

License

Secure defaults for XSS prevention in Django

Run Locally

Rules (13)

python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe

returntocorp

regex

Detected a segment of a Flask template where autoescaping is explicitly disabled with '| safe' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability.

python.django.security.audit.avoid-mark-safe.avoid-mark-safe

returntocorp

python

'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.

python.django.security.audit.xss.context-autoescape-off.context-autoescape-off

returntocorp

python

Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.

python.django.security.audit.xss.global-autoescape-off.global-autoescape-off

returntocorp

python

Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.

python.django.security.audit.xss.template-autoescape-off.template-autoescape-off

returntocorp

regex

Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.

python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq

returntocorp

regex

Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.

python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var

returntocorp

generic

Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ $...VAR }}".

python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe

returntocorp

python

Detected Django filters flagged with 'is_safe'. 'is_safe' tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, 'is_safe' could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing 'is_safe' and explicitly marking safe content with 'mark_safe()'.

python.django.security.audit.xss.html-safe.html-safe

returntocorp

python

`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.

python.django.security.audit.xss.class-extends-safestring.class-extends-safestring

returntocorp

python

Found a class extending 'SafeString', 'SafeText' or 'SafeData'. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use 'mark_safe' instead and ensure no user data can reach it.

python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse

returntocorp

python

Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML.

python.django.security.audit.xss.html-magic-method.html-magic-method

returntocorp

python

The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.

python.django.security.audit.xss.template-href-var.template-href-var

returntocorp

generic

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.