id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 14032 CSRF cookie value is marked as safe and inserted in the HTML unchecked André Cruz Luke Plant "The value of the CSRF Cookie is inserted, unescaped, in the HTML. According to django/template/defaulttags.py: {{{ class CsrfTokenNode(Node): def render(self, context): csrf_token = context.get('csrf_token', None) if csrf_token: if csrf_token == 'NOTPROVIDED': return mark_safe(u"""") else: return mark_safe(u""
"" % (csrf_token)) }}} This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie." closed Core (Other) 1.2 fixed security csrf clouserw@… Unreviewed 0 0 0 0 0 0