Django

Code

Ticket #7177 (new)

Opened 6 days ago

Last modified 4 days ago

Expand and modify escaping of JavaScript strings in the escapejs filter

Reported by: Mike Wiacek <mjwiacek@google.com> Assigned to: nobody
Component: Template system Version: SVN
Keywords: Cc:
Triage Stage: Unreviewed Has patch: 1
Needs documentation: 0 Needs tests: 0
Patch needs improvement: 0

Description

The escapejs filter currently escapes a small subset of characters to prevent JavaScript? injection. However, the resulting strings can still contain valid HTML, leading to XSS vulnerabilities. Using hex encoding as opposed to backslash escaping, effectively prevents Javascript injection and also helps prevent XSS. Attached is a small patch that modifies the _js_escapes tuple to use hex encoding on an expanded set of characters.

Attachments

django_js_escapes.diff (1.7 kB) - added by Mike Wiacek <mjwiacek@google.com> on 05/05/08 19:54:24.
django_js_escapes.2.diff (1.7 kB) - added by Mike Wiacek <mjwiacek@google.com> on 05/08/08 03:10:16.

Change History

05/05/08 19:54:24 changed by Mike Wiacek <mjwiacek@google.com>

  • attachment django_js_escapes.diff added.

05/08/08 03:10:16 changed by Mike Wiacek <mjwiacek@google.com>

  • attachment django_js_escapes.2.diff added.

05/08/08 03:10:46 changed by Mike Wiacek <mjwiacek@google.com>

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

Version 1 didn't escape \'s first. Version 2 fixes this.

Add/Change #7177 (Expand and modify escaping of JavaScript strings in the escapejs filter)




Change Properties
Action