Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#23561 closed Uncategorized (fixed)

Can unauthorized JS execution happen in quoted & escaped HTML class name?

Reported by: djbug Owned by: nobody
Component: Documentation Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by djbug)

According to https://docs.djangoproject.com/en/1.7/topics/security/

<style class="{{ var }}">...</style>

If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML.

If var is escaped and the class attribute is in quotes, how can JS execution happen?

The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around {{var}} and that made sense (i.e. unquoted attributes are unsafe). However in v 1.7, is this a typo in the or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?

Change History (5)

comment:1 by djbug, 10 years ago

Description: modified (diff)

comment:2 by djbug, 10 years ago

Description: modified (diff)

comment:3 by Carl Meyer, 10 years ago

Component: UncategorizedDocumentation
Triage Stage: UnreviewedAccepted

It looks to me like those quotes were added in 9432f1, probably without consideration that adding them changed that particular example significantly.

I'm not aware of a browser vulnerability that would make the shown code (with quoted attributes and autoescaping on) vulnerable.

Version 0, edited 10 years ago by Carl Meyer (next)

comment:4 by Carl Meyer <carl@…>, 10 years ago

Resolution: fixed
Status: newclosed

In d16bc7f0e46785bcf422310c41d20b25c0112051:

Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.

Thanks "djbug" for the report.

comment:5 by Carl Meyer <carl@…>, 10 years ago

In d7bc30ffd26ebbe6d98fcd08d9120f44702d2a62:

[1.7.X] Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.

Thanks "djbug" for the report.

Note: See TracTickets for help on using tickets.
Back to Top