Opened 10 years ago
Closed 10 years ago
#23544 closed Bug (wontfix)
Escape backtick
| Reported by: | djbug | Owned by: | nobody |
|---|---|---|---|
| Component: | Uncategorized | Version: | dev |
| Severity: | Normal | Keywords: | xss |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
IE8 can suffer from XSS if backtick is left unescaped as it can be used to switch out of the attribute. It should be added in django.utils.html.escape() if this is a serious security issue.
Source & related discussions:
- Paper by Mario Heiderich : https://cure53.de/fp170.pdf
- https://html5sec.org/#102
- http://lcamtuf.coredump.cx/postxss/
Change History (2)
comment:1 by , 10 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 10 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Please do not report security issues in this ticket tracker! Quoting the new ticket page: "Please don't report security issues here! Contact security@… instead."
This issue was previously privately reported, however, our research found that the problem only exists in IE6, 7 and 8. IE6 and 7 are effectively EOL, and only unpatched versions of IE8 are affected.
Given the potential impact of a change to autoescaping behaviour, the small cross section of affected browsers, and the limited potential for exploit (i.e., that the exploit requires a user-injected script to perform the innerHTML manipulation), we've decided not to patch this issue.