Opened 10 years ago
Closed 10 years ago
#23544 closed Bug (wontfix)
Escape backtick
Reported by: | djbug | Owned by: | nobody |
---|---|---|---|
Component: | Uncategorized | Version: | dev |
Severity: | Normal | Keywords: | xss |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
IE8 can suffer from XSS if backtick is left unescaped as it can be used to switch out of the attribute. It should be added in django.utils.html.escape()
if this is a serious security issue.
Source & related discussions:
- Paper by Mario Heiderich : https://cure53.de/fp170.pdf
- https://html5sec.org/#102
- http://lcamtuf.coredump.cx/postxss/
Change History (2)
comment:1 by , 10 years ago
Description: | modified (diff) |
---|
comment:2 by , 10 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Please do not report security issues in this ticket tracker! Quoting the new ticket page: "Please don't report security issues here! Contact security@… instead."
This issue was previously privately reported, however, our research found that the problem only exists in IE6, 7 and 8. IE6 and 7 are effectively EOL, and only unpatched versions of IE8 are affected.
Given the potential impact of a change to autoescaping behaviour, the small cross section of affected browsers, and the limited potential for exploit (i.e., that the exploit requires a user-injected script to perform the innerHTML manipulation), we've decided not to patch this issue.