Opened 8 years ago

Closed 7 years ago

#5882 closed (invalid)

Cross-site scripting not mentioned in the tutorial

Reported by: roland.illig@… Owned by: nobody
Component: Documentation Version: master
Severity: Keywords: xss cross-site-scripting
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Am I right that you don't mention the problem of cross-site scripting in the tutorial? Let's say I would add a poll like this:

question: What does <script>alert("foo");</script> do?

Would the application output a properly quoted question or would I get a JavaScript message box?

Change History (3)

comment:1 Changed 8 years ago by brosner

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Protecting yourself against XSS is a fundamental security issue that any person doing web development must know and protect against. Django provides an escape template filter. I am closing this ticket since:

  1. You should be using escape on user input regardless.
  2. The admin site where a user would enter that (through the admin) is for trusted users and not the general public.

comment:2 Changed 8 years ago by roland.illig@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

You probably wanted to attach the response to ticket 5880. This ticket is about documentation, not admin.

In the examples in the tutorial, the "escape" function is not mentioned. This makes the readers believe that just including the raw text into the HTML code is the right way to do it.

Neither of the three following pages has the word "escape" in it:
http://www.djangoproject.com/documentation/tutorial01/
http://www.djangoproject.com/documentation/tutorial02/
http://www.djangoproject.com/documentation/tutorial03/

comment:3 Changed 7 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from reopened to closed

Django's default autoescaping of template output makes this moot, and there's a section in the template docs where people can learn how to turn it off if they can't stand it.

Note: See TracTickets for help on using tickets.
Back to Top