Opened 19 months ago

Closed 19 months ago

Last modified 19 months ago

#34514 closed Bug (invalid)

`firstof` and `cycle` tags do not escapes variables defined in `wth` tag — at Version 4

Reported by: Алексей Поклонский Owned by: nobody
Component: Template system Version: 4.0
Severity: Normal Keywords: firstof, with, templates
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Алексей Поклонский)

django version: 4.0.1
Template snippet example:

{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}

Renders with:

def index(request):
    return render(request, 'polls/index.html')

Rendered result is:

<script>alert('XSS');</script>

Expected output is:

&lt;script&gt;alert(&#x27;XSS&#x27;);&lt;/script&gt;

In docs you noted that firstof will escape variables, but it does not escape them as you can see. And also it does not escape passed string literals. For example:

{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}

Will result in the same not escaped html with XSS.

The same problem with the cycle tag:

{% with var0="<script>alert('XSS');</script>" %}
{% for var2 in list_var %}
{% cycle var0 "123" %}
{% endfor %}
{% endwith %}

Where list_var is just a context-defined list variable.

Related #17906

Change History (4)

comment:1 by Mariusz Felisiak, 19 months ago

Resolution: invalid
Status: newclosed

All string literals defined on templates are consider safe. If you can define string literals on templates you can put whatever you want and you don't need XSS vulnerabilities. Therefore, there is no value to auto-escaping them.

For the future, report security issues in private by emailing security@… not via the public issue tracker, see docs.

in reply to:  2 comment:3 by Алексей Поклонский, 19 months ago

comment:4 by Алексей Поклонский, 19 months ago

Description: modified (diff)
Summary: `firstof` tag do not escapes variables defined in `wth` tag`firstof` and `cycle` tags do not escapes variables defined in `wth` tag

The same problem with the cycle tag.

Note: See TracTickets for help on using tickets.
Back to Top