#7177 closed (fixed)
Expand and modify escaping of JavaScript strings in the escapejs filter
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Template system | Version: | dev |
Severity: | Keywords: | aug22sprint | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
The escapejs filter currently escapes a small subset of characters to prevent JavaScript injection. However, the resulting strings can still contain valid HTML, leading to XSS vulnerabilities. Using hex encoding as opposed to backslash escaping, effectively prevents Javascript injection and also helps prevent XSS. Attached is a small patch that modifies the _js_escapes tuple to use hex encoding on an expanded set of characters.
Attachments (5)
Change History (19)
by , 17 years ago
Attachment: | django_js_escapes.diff added |
---|
by , 17 years ago
Attachment: | django_js_escapes.2.diff added |
---|
comment:1 by , 17 years ago
comment:2 by , 17 years ago
milestone: | → 1.0 |
---|
comment:3 by , 16 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:4 by , 16 years ago
Keywords: | aug22sprint added |
---|
comment:5 by , 16 years ago
Patch needs improvement: | set |
---|
That big table of mappings is a little unwieldy (all the hex code mappings). Would be good if that could be generated programmatically so that we have confidence there are no typos in there. I'm just talking about the \x01 -> "\x01"
pieces.
comment:6 by , 16 years ago
for x in range(32):
print "%02X" % x
Should do it. I'll make a patch later tonight if need be.
by , 16 years ago
Attachment: | 7177-readable.diff added |
---|
Same as 7177.diff with an update to the AUTHORS files and a self generating _js_escapes tuple.
comment:8 by , 16 years ago
Just note that I renamed _js_escapes to _base_js_escapes so that when the remaining escaping rules are programmatically generated, we don't end up with duplicate entries. The end result is the same, a tuple called _js_escapes.
comment:9 by , 16 years ago
Attached a diff that combines the code into one function. Also added myself to the AUTHORS file as well, because of my work on #7416 and lots of trac help.
comment:10 by , 16 years ago
I'd argue the second to most recent version is more readable. If you choose to go with the more concise version, I'd add comments so it's clear whats happening.
comment:11 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Version 1 didn't escape \'s first. Version 2 fixes this.