[Django] #34514: `firstof` tag do not escapes variables defined in `wth` tag
Django
-------------------------------------+-------------------------------------
Reporter: Алексей | Owner: nobody
Поклонский |
Type: Bug | Status: new
Component: Template | Version: 4.0
system | Keywords: firstof, with,
Severity: Normal | templates
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
django version: 4.0.1
Template snippet example:
{{{
{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}
}}}
Renders with:
{{{
def index(request):
return render(request, 'polls/index.html')
}}}
Rendered result is:
{{{
<script>alert('XSS');</script>
}}}
Expected output is:
{{{
<script>alert('XSS');</script>
}}}
In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
docs] you noted that `firstof` will escape variables, but it does not
escape them as you can see. And also it does not escape passed string
literals. For example:
{{{
{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
}}}
Will result in the same not escaped html with XSS.
Related #17906
--
Ticket URL: <https://code.djangoproject.com/ticket/34514>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: Template system | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: firstof, with, | Triage Stage:
templates | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => invalid
Comment:
All string literals defined on templates are consider safe. If you can
define string literals on templates you can put whatever you want and you
don't need XSS vulnerabilities. Therefore, there is no value to auto-
escaping them.
For the future, report security issues in **private** by emailing
secu...@djangoproject.com not via the public issue tracker, see
[https://docs.djangoproject.com/en/dev/internals/security/#reporting-
security-issues docs].
--
Ticket URL: <https://code.djangoproject.com/ticket/34514#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Алексей Поклонский | Owner: nobody
Type: Bug | Status: closed
Component: Template system | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: firstof, with, | Triage Stage:
templates | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak):
See https://docs.djangoproject.com/en/stable/ref/templates/language
/#string-literals-and-automatic-escaping.
--
Ticket URL: <https://code.djangoproject.com/ticket/34514#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Алексей Поклонский | Owner: nobody
Type: Bug | Status: closed
Component: Template system | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: firstof, with, | Triage Stage:
templates | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Алексей Поклонский):
Replying to [comment:2 Mariusz Felisiak]:
> See https://docs.djangoproject.com/en/stable/ref/templates/language
/#string-literals-and-automatic-escaping.
Ok, big thanks for quick response!
--
Ticket URL: <https://code.djangoproject.com/ticket/34514#comment:3>