Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#21722 closed Cleanup/optimization (fixed)

Add warning for avoiding XSS vulnerabilities when reusing built-in filters

Reported by: Tim Graham Owned by: nobody
Component: Documentation Version: 1.6
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When calling built-in filters in Python code rather than in templates, one must pass autoescape=True to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.

Attachments (1)

21722.diff (1.3 KB ) - added by Tim Graham 10 years ago.

Download all attachments as: .zip

Change History (4)

by Tim Graham, 10 years ago

Attachment: 21722.diff added

comment:1 by Simon Charette, 10 years ago

Triage Stage: AcceptedReady for checkin 
> +        def urlize_and_linebreaks(text):
> +            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)

The code example should be calling urlize with text instead of s.

Except this typo the patch looks RFC to me.

comment:2 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: newclosed

In 07711e999779eff4296d1a363c1131dbb14acae2:

Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

comment:3 by Tim Graham <timograham@…>, 10 years ago

In 8841cbbe82a4ed983e1a84e12782e6095bf2c97e:

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master

Note: See TracTickets for help on using tickets.
Back to Top