id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34514	`firstof` tag do not escapes variables defined in `wth` tag	Алексей Поклонский	nobody	"django version: 4.0.1
Template snippet example:

{{{
{% with var0=""<script>alert('XSS');</script>"" var1=""12"" %}
{% firstof var0 ""123"" var1 %}
{% endwith %}
}}}

Renders with: 

{{{
def index(request):
    return render(request, 'polls/index.html')
}}}

Rendered result is:

{{{
<script>alert('XSS');</script>
}}}

Expected output is:

{{{
&lt;script&gt;alert(&#x27;XSS&#x27;);&lt;/script&gt;
}}}

In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof docs] you noted that `firstof` will escape variables, but it does not escape them as you can see. And also it does not escape passed string literals. For example:

{{{
{% firstof var1 var2 var3 ""<script>alert('XSS');</script>"" %}
}}}

Will result in the same not escaped html with XSS.

Related #17906"	Bug	new	Template system	4.0	Normal		firstof, with, templates		Unreviewed	0	0	0	0	0	0