Opened 10 years ago

Closed 10 years ago

#23544 closed Bug (wontfix)

Escape backtick

Reported by: djbug Owned by: nobody
Component: Uncategorized Version: dev
Severity: Normal Keywords: xss
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by djbug)

IE8 can suffer from XSS if backtick is left unescaped as it can be used to switch out of the attribute. It should be added in django.utils.html.escape() if this is a serious security issue.

Source & related discussions:

  1. Paper by Mario Heiderich : https://cure53.de/fp170.pdf
  2. https://html5sec.org/#102
  3. http://lcamtuf.coredump.cx/postxss/

Change History (2)

comment:1 by djbug, 10 years ago

Description: modified (diff)

comment:2 by Tim Graham, 10 years ago

Resolution: wontfix
Status: newclosed

Please do not report security issues in this ticket tracker! Quoting the new ticket page: "Please don't report security issues here! Contact security@… instead."

This issue was previously privately reported, however, our research found that the problem only exists in IE6, 7 and 8. IE6 and 7 are effectively EOL, and only unpatched versions of IE8 are affected.

Given the potential impact of a change to autoescaping behaviour, the small cross section of affected browsers, and the limited potential for exploit (i.e., that the exploit requires a user-injected script to perform the innerHTML manipulation), we've decided not to patch this issue.

Note: See TracTickets for help on using tickets.
Back to Top