Code

Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#21722 closed Cleanup/optimization (fixed)

Add warning for avoiding XSS vulnerabilities when reusing built-in filters

Reported by: timo Owned by: nobody
Component: Documentation Version: 1.6
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When calling built-in filters in Python code rather than in templates, one must pass autoescape=True to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.

Attachments (1)

21722.diff (1.3 KB) - added by timo 4 months ago.

Download all attachments as: .zip

Change History (4)

Changed 4 months ago by timo

comment:1 Changed 3 months ago by charettes

  • Triage Stage changed from Accepted to Ready for checkin
> +        def urlize_and_linebreaks(text):
> +            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)

The code example should be calling urlize with text instead of s.

Except this typo the patch looks RFC to me.

comment:2 Changed 3 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 07711e999779eff4296d1a363c1131dbb14acae2:

Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

comment:3 Changed 3 months ago by Tim Graham <timograham@…>

In 8841cbbe82a4ed983e1a84e12782e6095bf2c97e:

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.