Context Navigation

← Previous Ticket
Next Ticket →

#21722 closed Cleanup/optimization (fixed)

Add warning for avoiding XSS vulnerabilities when reusing built-in filters

Reported by:	Tim Graham	Owned by:	nobody
Component:	Documentation	Version:	1.6
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

When calling built-in filters in Python code rather than in templates, one must pass autoescape=True to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.

Attachments (1)

21722.diff (1.3 KB) - added by Tim Graham 10 years ago.

Download all attachments as: .zip

Change History (4)

Changed 10 years ago by Tim Graham

Attachment:	21722.diff added

comment:1 Changed 10 years ago by Simon Charette

Triage Stage:	Accepted → Ready for checkin

> +        def urlize_and_linebreaks(text):
> +            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)

The code example should be calling urlize with text instead of s.

Except this typo the patch looks RFC to me.

comment:2 Changed 10 years ago by Tim Graham <timograham@…>

Resolution:	→ fixed
Status:	new → closed

In 07711e999779eff4296d1a363c1131dbb14acae2:

Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

comment:3 Changed 10 years ago by Tim Graham <timograham@…>

In 8841cbbe82a4ed983e1a84e12782e6095bf2c97e:

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues