Opened 14 months ago
Last modified 14 months ago
#34514 closed Bug
`firstof` tag do not escapes variables defined in `wth` tag — at Initial Version
| Reported by: | Алексей Поклонский | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | 4.0 |
| Severity: | Normal | Keywords: | firstof, with, templates |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
django version: 4.0.1
Template snippet example:
{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}
Renders with:
def index(request):
return render(request, 'polls/index.html')
Rendered result is:
<script>alert('XSS');</script>
Expected output is:
<script>alert('XSS');</script>
In docs you noted that firstof will escape variables, but it does not escape them as you can see. And also it does not escape passed string literals. For example:
{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
Will result in the same not escaped html with XSS.
Related #17906
Note:
See TracTickets
for help on using tickets.