#31466 closed New feature (wontfix)
A potential improvement in the Django template filter `escapejs`
Reported by: | Phithon | Owned by: | Phithon |
---|---|---|---|
Component: | Template system | Version: | 3.0 |
Severity: | Normal | Keywords: | escapejs |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hi, I recently encountered a problem that is related to Django, I think I should report and discuss with you.
As I know, escapejs
is a helpful template filter which can protect us from XSS attack in Javascript string like this:
<script> function example() { query = '{{ request.GET.q | escapejs }}'; } </script>
But there is usually a situation, as time goes on, someone thinks this function is not used anymore and comments it out:
<script> /* function example() { query = '{{ request.GET.q | escapejs }}'; } */ </script>
Oops, A XSS vulnerability is introduced. The attackers can trigger arbitrary javascript execution by the request http://example.com/?q=*/(alert(1))/*
It's not a Django security bug but I also suggest making the /
and *
escaped in the escapejs
filter.
Change History (7)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
follow-up: 3 comment:2 by , 5 years ago
I'm afraid this must be classified in programming errors, for which Django cannot help. The escapejs
filter has absolutely no way to detect if it is used in commented code. In your example, it only receives the request.GET.q
content, not the code around it. I'm suggesting to won't fix
that issue, but I'll let a second triager confirm it.
Also please note that security issues should be privately sent to security@… and never on public issue trackers.
https://docs.djangoproject.com/en/stable/internals/security/#reporting-security-issues
comment:3 by , 5 years ago
Replying to Claude Paroz:
I'm afraid this must be classified in programming errors, for which Django cannot help. The
escapejs
filter has absolutely no way to detect if it is used in commented code. In your example, it only receives therequest.GET.q
content, not the code around it. I'm suggesting towon't fix
that issue, but I'll let a second triager confirm it.
Also please note that security issues should be privately sent to security@… and never on public issue trackers.
https://docs.djangoproject.com/en/stable/internals/security/#reporting-security-issues
I don't think it is a security issue, it is a security-related proposal that works for some bad programming practices. Only two characters added in escapejs process, the cost is very small.
Here is a reference to Secure by default policy https://en.wikipedia.org/wiki/Secure_by_default.
comment:4 by , 5 years ago
Summary: | A potential security issue in the Django template filter `escapejs` → A potential improvement in the Django template filter `escapejs` |
---|
comment:5 by , 5 years ago
Are you aware that in the example you provided, the \*
and */
parts are not passed to escapejs
?
comment:6 by , 5 years ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
Replying to Claude Paroz:
Are you aware that in the example you provided, the
\*
and*/
parts are not passed toescapejs
?
They pass q=*/(alert(1))/*
so in a clever way we end with a valid JS:
<script> /* function example() { query = '*/(alert(1))/*'; } */ </script>
Replying to Phithon:
Oops, A XSS vulnerability is introduced. The attackers can trigger arbitrary javascript execution by the request
escapejs
does not make the string safe for use in HTML or JavaScript template literals, see documentation. It only protects you from syntax errors when using templates to generate JavaScript/JSON. I agree with Claude.
See related #29055.
comment:7 by , 5 years ago
Hi, thanks for your reply.
In my option, the document and former ticket are talking about "HTML or JavaScript template literals", but the current context is "JavaScript string", seems like a bit different.
Anyway, this ticket can help people who have bad programming practices although it was closed.
PR: https://github.com/django/django/pull/12717