#4991 closed Cleanup/optimization (fixed)
Emphasize XSS ramifications of help_text not being escaped
Reported by: | anonymous | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | help_text escape |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Help text in models is not escaped in admin.
<code>
class Post(models.Model) :
title = models.CharField(maxlength=1000,null=True,blank=True,
help_text='<obvious>This is the title</obvious>')
</code>
The admin interface will not show it (and using non-closed <blink> could be fun)
I guess this is a bug or it should be documented in models that help_text must be html.
I would propose no html in models.py, (so escaping help_text and no formatting in help text).
Maybe ReST would be the best of both worlds.
Attachments (2)
Change History (15)
comment:1 by , 17 years ago
Has patch: | set |
---|---|
Summary: | help_text not escaped in admin → contrib.admin does not escape help_text (potential XSS) |
Triage Stage: | Unreviewed → Ready for checkin |
by , 17 years ago
Attachment: | contrib.diff added |
---|
comment:2 by , 17 years ago
Summary: | contrib.admin does not escape help_text (potential XSS) → contrib.admin does not escape help_text |
---|
comment:3 by , 17 years ago
Triage Stage: | Ready for checkin → Design decision needed |
---|
This is, of course, slightly breaking backwards compatibility. People may be relying on putting html in help text (eg help_text='Please use the following format: <em>yyyy-mm-dd</em>'
)
Are we sure we don't just want to change the documentation instead?
comment:4 by , 17 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
The help_text
is intentionally unescaped, exactly for the reason SmileyChris pointed out. I've added this to the documentation in [5816].
comment:5 by , 12 years ago
Easy pickings: | unset |
---|---|
Resolution: | wontfix |
Severity: | → Normal |
Status: | closed → new |
Triage Stage: | Design decision needed → Someday/Maybe |
Type: | → Uncategorized |
UI/UX: | unset |
Although the documentation from [5816] does say help_text isn't escaped, it could be more clear that this means user-derived content shouldn't be exposed through help_text. Putting user content in help_text is an edge case, but it's a conceivable edge case (e.g., user-submitted translations), and we're departing from Django's usual "security by default" policy here, so it's worth being explicit.
Longer term, in the interests of consistency and "security by default", it might also be worth reversing this decision; we have mark_safe(), so if someone needs markup in help_text. However, there's obviously backwards compatibility concerns in doing this, so we'd need a plan for making this change.
comment:6 by , 12 years ago
As far as translations are concerned, see #18208. We chose to consider translations as a safe source. It's the developper's duty to check that no suspicious code is inserted by mean of translations. So I think we should exclude that use case from the current issue, unless someone wants to reconsider #18208.
comment:7 by , 12 years ago
@claudep - In this case, I'm referring to a slightly different case for translations. Translations from po files are relatively safe because they need to be committed to the repository before use. I was referring to the possible case of someone storing translations in the database as runtime data, and using those as help_text. It's an edge case on the edge of an edge case, but it's possible.
comment:8 by , 11 years ago
Component: | contrib.admin → Documentation |
---|---|
Has patch: | unset |
Triage Stage: | Someday/Maybe → Accepted |
Type: | Uncategorized → Cleanup/optimization |
If we want to document the edge case on the edge of an edge case, we can do it now ;-)
by , 10 years ago
comment:9 by , 10 years ago
Has patch: | set |
---|---|
Summary: | contrib.admin does not escape help_text → Emphasize XSS ramifications of help_text not being escaped |
comment:10 by , 10 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:11 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
removing the "potential xss" flag as that was alarmist of me - if someone can edit models.py, then you've got bigger issues than an XSS attack!