id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36831	Add validation for CSP directive names and values in build_policy()	Naveed Qadir	Naveed Qadir	"The `build_policy()` function in `django/utils/csp.py` does not validate directive names or values, allowing malformed CSP policies to be generated.

== Problem ==

CSP policies use semicolons to separate directives. If a directive name or value contains a semicolon (e.g., from a misconfiguration), it can result in a malformed policy:

{{{#!python
from django.utils.csp import build_policy, CSP

# This produces a malformed CSP header
policy = {""script-src"": [""https://good.com; report-uri https://evil.com""]}
build_policy(policy)
# Returns: ""script-src https://good.com; report-uri https://evil.com""
# The semicolon splits what should be one directive into two!
}}}

While this requires developer misconfiguration (not user input), it's a hardening improvement to catch these errors early with a clear error message rather than silently producing invalid policies.

== Solution ==

Add validation to `build_policy()` that raises `ValueError` if:
- Directive names contain semicolons, `\r`, or `\n`
- Values contain semicolons

The error messages guide developers to use proper list syntax for multiple values.

== Patch ==

A patch with tests is ready and is submitted as a PR."	Cleanup/optimization	assigned	Utilities	6.0	Normal		csp,validation	Naveed Qadir	Unreviewed	1	0	0	0	0	0