Opened 8 years ago

Last modified 8 years ago

#23561 closed Uncategorized

Can unauthorized JS execution happen in quoted & escaped HTML class name? — at Initial Version

Reported by: djbug Owned by: nobody
Component: Documentation Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

According to https://docs.djangoproject.com/en/1.7/topics/security/

<style class="{{ var }}">...</style>

If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML.

If var is escaped and the class attribute is in quotes, how can JS execution happen?

The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around {{var}} and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 ?

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top