id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14032	CSRF cookie value is marked as safe and inserted in the HTML unchecked	André Cruz	Luke Plant	"The value of the CSRF Cookie is inserted, unescaped, in the HTML. According to django/template/defaulttags.py:
{{{
class CsrfTokenNode(Node):
    def render(self, context):
        csrf_token = context.get('csrf_token', None)
        if csrf_token:
            if csrf_token == 'NOTPROVIDED':
                return mark_safe(u"""")
            else:
                return mark_safe(u""<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>"" % (csrf_token))
}}}

This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie."		closed	Core (Other)	1.2		fixed	security csrf	clouserw@…	Unreviewed	0	0	0	0	0	0