| | 8 | .. note:: |
| | 9 | |
| | 10 | Django's web security implementations have been designed with security for |
| | 11 | real-world applications in mind. Django is a general-purpose web |
| | 12 | application framework, and its defaults reflect this - they will not be the |
| | 13 | best solution for every particular case. Special cases deserve special |
| | 14 | attention to their needs. |
| | 15 | |
| | 16 | Web security requires a multi-layered approach. Neither a single layer of |
| | 17 | protection, nor an apparent weakness in one, can on its own reflect on the |
| | 18 | overall security of a Django website. This needs to be borne in mind |
| | 19 | particularly when assessing individual points in security audits. |
| | 20 | |
| 23 | | XSS attacks allow a user to inject client side scripts into the browsers of |
| 24 | | other users. This is usually achieved by storing the malicious scripts in the |
| 25 | | database where it will be retrieved and displayed to other users, or by getting |
| 26 | | users to click a link which will cause the attacker's JavaScript to be executed |
| 27 | | by the user's browser. However, XSS attacks can originate from any untrusted |
| 28 | | source of data, such as cookies or web services, whenever the data is not |
| 29 | | sufficiently sanitized before including in a page. |
| | 36 | In a cross site scripting attack, malicious code in the form of a client-side |
| | 37 | script is injected into another user's web browser, where it will be executed. |
| | 38 | |
| | 39 | This is typically done by: |
| | 40 | |
| | 41 | * storing the malicious script in the database where it will be retrieved and |
| | 42 | presented to other users in their browsers, or |
| | 43 | * getting users to click a link which will cause the attacker's JavaScript to |
| | 44 | be executed by the user's browser. |
| | 45 | |
| | 46 | Cross site scripting attacks can originate from any untrusted source of data, |
| | 47 | including cookies or web services, if the data are not adequately sanitized |
| | 48 | before being published in a page. |
| 35 | | Django templates :ref:`escape specific characters <automatic-html-escaping>` |
| 36 | | which are particularly dangerous to HTML. While this protects users from most |
| 37 | | malicious input, it is not entirely foolproof. For example, it will not |
| 38 | | protect the following: |
| | 56 | However, the extent of this protection and its limitations should be understood. |
| | 57 | |
| | 58 | Ambiguity, in browsers' interpretation of HTML and in developers' own |
| | 59 | intentions, can open a gap in which autoescaping can fail. Suppose that a |
| | 60 | developer creates: |
| 46 | | If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can |
| 47 | | result in unauthorized JavaScript execution, depending on how the browser |
| 48 | | renders imperfect HTML. (Quoting the attribute value would fix this case.) |
| | 68 | where a ``var`` containing something like ``'class1'`` seems to work. Not only |
| | 69 | might it fail to work at all in other browsers, if ``var`` were set to |
| | 70 | ``'class1 onmouseover=javascript:func()'``, this could result in unauthorized |
| | 71 | JavaScript execution, depending on how the browser renders imperfect HTML. |
| | 82 | It is also important to be particularly careful when using the ``is_safe`` |
| | 83 | attribute with custom template tags, the :tfilter:`safe` template tag, |
| | 84 | :mod:`mark_safe <django.utils.safestring>`, and when autoescape is turned off. |
| | 85 | |
| | 86 | Django's built-in escaping is intended to protect HTML output. If you are using |
| | 87 | the template system to output something other than HTML, the characters and |
| | 88 | strings that require escaping might be entirely different. |
| | 89 | |
| | 90 | You should also be very careful when storing HTML in the database, especially |
| | 91 | when that HTML is retrieved and displayed. Unless the HTML is guaranteed to |
| | 92 | come from a trusted source - user input is *not* a trusted source - stored HTML |
| | 93 | should be checked and sanitized, preferably on input as well as output. |