Opened 3 years ago

Closed 3 years ago

#33523 closed Bug (invalid)

remove dangerous text from translated message about csrf error

Reported by: Maxim Danilov Owned by: nobody
Component: CSRF Version: 4.0
Severity: Normal Keywords: csrf error message
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

in django\views\csrf.py function csrf_failure defined error dictionary "c" (error_name: error_description)

item with key 'no_referer3' has text:
'If you are using the <meta name="referrer" content=\"no-referrer\"> tag or including the “Referrer-Policy: no-referrer” header, please remove them. The CSRF protection requires the “Referer” header to do strict referer checking. If you’re concerned about privacy, use alternatives like <a rel=\"noreferrer\" …> for links to third-party sites.'

If i put this message simply in <html><head><title> {{ c.no_referer3 }} </title>, it break browser work.
The browsers takes <meta name="referrer" content=\"no-referrer\"> as normal meta. (chrome and Firefox)

This text "from box" has not escaped symbols and therefore it is dangerous. Of course, I can change it with translations.

Change History (1)

comment:1 by Mariusz Felisiak, 3 years ago

Resolution: invalid
Status: newclosed

Thanks for this report, however I cannot imagine how that could be dangerous 🤔. As far as I understand correctly, you have a custom template for CSRF failure and you put no_referer3 in the <head> HTML tag, even so it's not marked as safe and will not be interpreted by a browser.

Note: See TracTickets for help on using tickets.
Back to Top