Opened 10 years ago
Last modified 10 years ago
#23561 closed Uncategorized
Can unauthorized JS execution happen in quoted & escaped HTML class name? — at Version 2
| Reported by: | djbug | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 1.7 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
According to https://docs.djangoproject.com/en/1.7/topics/security/
<style class="{{ var }}">...</style>
If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML.
If var is escaped and the class attribute is in quotes, how can JS execution happen?
The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around {{var}} and that made sense (i.e. unquoted attributes are unsafe). However in v 1.7, is this a typo in the or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?
Change History (2)
comment:1 by , 10 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 10 years ago
| Description: | modified (diff) |
|---|