[Django] #23544: Escape backtick

[Django]

#23544: Escape backtick
-------------------------------+--------------------
Reporter: djbug | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Severity: Normal | Keywords: xss
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
IE8 can suffer from XSS if backtick is left unescaped as it can be used to
switch out of the attribute. It should be added in
`django.utils.html.escape()` if this is a serious security issue.

Source & related discussions:

https://cure53.de/fp170.pdf
https://html5sec.org/#102
http://lcamtuf.coredump.cx/postxss/

--
Ticket URL: <https://code.djangoproject.com/ticket/23544>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#23544: Escape backtick
-------------------------------+--------------------------------------

Reporter: djbug | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master

Severity: Normal | Resolution:

Keywords: xss | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------+--------------------------------------
Changes (by djbug):

* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0

Old description:

> IE8 can suffer from XSS if backtick is left unescaped as it can be used
> to switch out of the attribute. It should be added in
> `django.utils.html.escape()` if this is a serious security issue.
>
> Source & related discussions:
>
> https://cure53.de/fp170.pdf
> https://html5sec.org/#102
> http://lcamtuf.coredump.cx/postxss/

New description:

IE8 can suffer from XSS if backtick is left unescaped as it can be used to
switch out of the attribute. It should be added in
`django.utils.html.escape()` if this is a serious security issue.

Source & related discussions:

1. Paper by Mario Heiderich : https://cure53.de/fp170.pdf
2. https://html5sec.org/#102
3. http://lcamtuf.coredump.cx/postxss/

--

--
Ticket URL: <https://code.djangoproject.com/ticket/23544#comment:1>

[Django]

#23544: Escape backtick
-------------------------------+--------------------------------------
Reporter: djbug | Owner: nobody
Type: Bug | Status: closed
Component: Uncategorized | Version: master
Severity: Normal | Resolution: wontfix

Keywords: xss | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------+--------------------------------------
Changes (by timgraham):

* status: new => closed
* resolution: => wontfix

Comment:

Please do not report security issues in this ticket tracker! Quoting the
new ticket page: "Please don't report security issues here! Contact
secu...@djangoproject.com instead."

This issue was previously privately reported, however, our research found
that the problem only exists in IE6, 7 and 8. IE6 and 7 are effectively
EOL, and only unpatched versions of IE8 are affected.

Given the potential impact of a change to autoescaping behaviour, the
small cross section of affected browsers, and the limited potential for
exploit (i.e., that the exploit requires a user-injected script to perform
the innerHTML manipulation), we've decided not to patch this issue.

--
Ticket URL: <https://code.djangoproject.com/ticket/23544#comment:2>