Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#29055 closed Cleanup/optimization (fixed)

Document that escapejs doesn't make template literals safe

Reported by: Alvin Lindstam Owned by: Tim Graham
Component: Documentation Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The escapejs template tag is used to make arbitrary input strings safe to put in a JavaScript string literal. Since 6ae1b04fb584db0fdb22b8e287784c4ed3ac62ac, it escapes the U+0060 (grave accent) which indicates that it could be used to escape values within JavaScript template strings (which grave accents are used to declare). The ticket that it fixes also states that it is intended to be supposed to be used within template literals (#27900).

escapejs escapes the grave accent, so it will not be able to end the template literal. However, template literals allow embedded expressions which are executed and whose return value is used in the string. The syntax to use such expressions is not escaped.

Whenever escapejs is used to escape a user provided value to a js template literal, an attacker could insert text that will be executed as JavaScript by wrapping it in curly braces with a leading dollar sign, such as ${alert(String.fromCharCode(88) + String.fromCharCode(83) + String.fromCharCode(83))} (which would translate to executing alert("XSS") in the client.

Adding the dollar sign to _js_escapes in https://github.com/django/django/blob/d38a3169a426516623929ff8c2b2c9703d801b75/django/utils/html.py#L55-L68 and replacing it with \u0024 would fix the problem but break the case of using template variables to intentionally deliver template literals (non-user provided). Following a report to the security mailing list, the consensus is to document that escapejs shouldn't be used to protect untrusted template literals.

Change History (4)

comment:1 Changed 2 years ago by Tim Graham

Has patch: set

comment:2 Changed 2 years ago by Loic Bistuer

Triage Stage: AcceptedReady for checkin

comment:3 Changed 2 years ago by GitHub <noreply@…>

Resolution: fixed
Status: assignedclosed

In f229049:

Fixed #29055 -- Doc'd that escapejs doesn't make template literals safe.

comment:4 Changed 2 years ago by Tim Graham <timograham@…>

In ed206a9b:

[2.0.x] Fixed #29055 -- Doc'd that escapejs doesn't make template literals safe.

Backport of f229049d6cd186025f4033dc47608b0c9731e882 from master

Note: See TracTickets for help on using tickets.
Back to Top