Opened 17 years ago
Closed 17 years ago
#5882 closed (invalid)
Cross-site scripting not mentioned in the tutorial
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Keywords: | xss cross-site-scripting | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Am I right that you don't mention the problem of cross-site scripting in the tutorial? Let's say I would add a poll like this:
question: What does <script>alert("foo");</script> do?
Would the application output a properly quoted question or would I get a JavaScript message box?
Change History (3)
comment:1 by , 17 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 17 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
You probably wanted to attach the response to ticket 5880. This ticket is about documentation, not admin.
In the examples in the tutorial, the "escape" function is not mentioned. This makes the readers believe that just including the raw text into the HTML code is the right way to do it.
Neither of the three following pages has the word "escape" in it:
http://www.djangoproject.com/documentation/tutorial01/
http://www.djangoproject.com/documentation/tutorial02/
http://www.djangoproject.com/documentation/tutorial03/
comment:3 by , 17 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
Django's default autoescaping of template output makes this moot, and there's a section in the template docs where people can learn how to turn it off if they can't stand it.
Protecting yourself against XSS is a fundamental security issue that any person doing web development must know and protect against. Django provides an
escapetemplate filter. I am closing this ticket since:escapeon user input regardless.