Opened 10 years ago

Closed 10 years ago

#5882 closed (invalid)

Cross-site scripting not mentioned in the tutorial

Reported by: roland.illig@… Owned by: nobody
Component: Documentation Version: master
Severity: Keywords: xss cross-site-scripting
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Am I right that you don't mention the problem of cross-site scripting in the tutorial? Let's say I would add a poll like this:

question: What does <script>alert("foo");</script> do?

Would the application output a properly quoted question or would I get a JavaScript message box?

Change History (3)

comment:1 Changed 10 years ago by Brian Rosner

Resolution: invalid
Status: newclosed

Protecting yourself against XSS is a fundamental security issue that any person doing web development must know and protect against. Django provides an escape template filter. I am closing this ticket since:

  1. You should be using escape on user input regardless.
  2. The admin site where a user would enter that (through the admin) is for trusted users and not the general public.

comment:2 Changed 10 years ago by roland.illig@…

Resolution: invalid
Status: closedreopened

You probably wanted to attach the response to ticket 5880. This ticket is about documentation, not admin.

In the examples in the tutorial, the "escape" function is not mentioned. This makes the readers believe that just including the raw text into the HTML code is the right way to do it.

Neither of the three following pages has the word "escape" in it:

comment:3 Changed 10 years ago by James Bennett

Resolution: invalid
Status: reopenedclosed

Django's default autoescaping of template output makes this moot, and there's a section in the template docs where people can learn how to turn it off if they can't stand it.

Note: See TracTickets for help on using tickets.
Back to Top