Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#21722 closed Cleanup/optimization (fixed)

Add warning for avoiding XSS vulnerabilities when reusing built-in filters

Reported by: Tim Graham Owned by: nobody
Component: Documentation Version: 1.6
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no
Pull Requests:How to create a pull request

Description

When calling built-in filters in Python code rather than in templates, one must pass autoescape=True to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.

Change History (4)

by Tim Graham, 11 years ago

Attachment: 21722.diff added

comment:1 by Simon Charette, 11 years ago

Triage Stage: AcceptedReady for checkin
> +        def urlize_and_linebreaks(text):
> +            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)

The code example should be calling urlize with text instead of s.

Except this typo the patch looks RFC to me.

comment:2 by Tim Graham <timograham@…>, 11 years ago

Resolution: fixed
Status: newclosed

In 07711e999779eff4296d1a363c1131dbb14acae2:

Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

comment:3 by Tim Graham <timograham@…>, 11 years ago

In 8841cbbe82a4ed983e1a84e12782e6095bf2c97e:

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master

Note: See TracTickets for help on using tickets.
Back to Top