Opened 17 years ago

Closed 16 years ago

Last modified 18 months ago

#7177 closed (fixed)

Expand and modify escaping of JavaScript strings in the escapejs filter

Reported by: Mike Wiacek <mjwiacek@…> Owned by: nobody
Component: Template system Version: dev
Severity: Keywords: aug22sprint
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

The escapejs filter currently escapes a small subset of characters to prevent JavaScript injection. However, the resulting strings can still contain valid HTML, leading to XSS vulnerabilities. Using hex encoding as opposed to backslash escaping, effectively prevents Javascript injection and also helps prevent XSS. Attached is a small patch that modifies the _js_escapes tuple to use hex encoding on an expanded set of characters.

Attachments (5)

django_js_escapes.diff (1.7 KB ) - added by Mike Wiacek <mjwiacek@…> 17 years ago.
django_js_escapes.2.diff (1.7 KB ) - added by Mike Wiacek <mjwiacek@…> 17 years ago.
7177.patch (3.0 KB ) - added by Collin Grady 16 years ago.
added tests
7177-readable.diff (2.5 KB ) - added by mjwiacek 16 years ago.
Same as 7177.diff with an update to the AUTHORS files and a self generating _js_escapes tuple.
7177-updated.diff (2.7 KB ) - added by Eric Holscher 16 years ago.
Combining the code into one function

Download all attachments as: .zip

Change History (19)

by Mike Wiacek <mjwiacek@…>, 17 years ago

Attachment: django_js_escapes.diff added

by Mike Wiacek <mjwiacek@…>, 17 years ago

Attachment: django_js_escapes.2.diff added

comment:1 by Mike Wiacek <mjwiacek@…>, 17 years ago

Version 1 didn't escape \'s first. Version 2 fixes this.

comment:2 by Jacob, 17 years ago

milestone: 1.0

comment:3 by Eric Holscher, 16 years ago

Triage Stage: UnreviewedAccepted

by Collin Grady, 16 years ago

Attachment: 7177.patch added

added tests

comment:4 by Collin Grady, 16 years ago

Keywords: aug22sprint added

comment:5 by Malcolm Tredinnick, 16 years ago

Patch needs improvement: set

That big table of mappings is a little unwieldy (all the hex code mappings). Would be good if that could be generated programmatically so that we have confidence there are no typos in there. I'm just talking about the \x01 -> "\x01" pieces.

comment:6 by Eric Holscher, 16 years ago

for x in range(32):

print "%02X" % x

Should do it. I'll make a patch later tonight if need be.

comment:7 by mjwiacek@…, 16 years ago

Working on a shorter version now.

by mjwiacek, 16 years ago

Attachment: 7177-readable.diff added

Same as 7177.diff with an update to the AUTHORS files and a self generating _js_escapes tuple.

comment:8 by mjwiacek, 16 years ago

Just note that I renamed _js_escapes to _base_js_escapes so that when the remaining escaping rules are programmatically generated, we don't end up with duplicate entries. The end result is the same, a tuple called _js_escapes.

by Eric Holscher, 16 years ago

Attachment: 7177-updated.diff added

Combining the code into one function

comment:9 by Eric Holscher, 16 years ago

Attached a diff that combines the code into one function. Also added myself to the AUTHORS file as well, because of my work on #7416 and lots of trac help.

comment:10 by mjwiacek, 16 years ago

I'd argue the second to most recent version is more readable. If you choose to go with the more concise version, I'd add comments so it's clear whats happening.

comment:11 by Malcolm Tredinnick, 16 years ago

Resolution: fixed
Status: newclosed

(In [8577]) Fixed #7177 -- Added extra robustness to the escapejs filter so that all
invalid characters are correctly escaped. This avoids any chance to inject raw
HTML inside <script> tags. Thanks to Mike Wiacek for the patch and Collin Grady
for the tests.

comment:12 by Jacob, 13 years ago

milestone: 1.0

Milestone 1.0 deleted

comment:13 by Mariusz Felisiak <felisiak.mariusz@…>, 18 months ago

Easy pickings: unset
UI/UX: unset

In adfb3dfa:

Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.

comment:14 by Mariusz Felisiak <felisiak.mariusz@…>, 18 months ago

In e54f711:

[4.2.x] Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.

Backport of adfb3dfa89b62ee0c838a64d3d480c03dd3ec869 from main

Note: See TracTickets for help on using tickets.
Back to Top