Opened 20 months ago

Closed 20 months ago

Last modified 20 months ago

#21722 closed Cleanup/optimization (fixed)

Add warning for avoiding XSS vulnerabilities when reusing built-in filters

Reported by: timo Owned by: nobody
Component: Documentation Version: 1.6
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When calling built-in filters in Python code rather than in templates, one must pass autoescape=True to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.

Attachments (1)

21722.diff (1.3 KB) - added by timo 20 months ago.

Download all attachments as: .zip

Change History (4)

Changed 20 months ago by timo

comment:1 Changed 20 months ago by charettes

  • Triage Stage changed from Accepted to Ready for checkin
> +        def urlize_and_linebreaks(text):
> +            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)

The code example should be calling urlize with text instead of s.

Except this typo the patch looks RFC to me.

comment:2 Changed 20 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 07711e999779eff4296d1a363c1131dbb14acae2:

Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

comment:3 Changed 20 months ago by Tim Graham <timograham@…>

In 8841cbbe82a4ed983e1a84e12782e6095bf2c97e:

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master

Note: See TracTickets for help on using tickets.
Back to Top