[Django] #31466: A potential security issue in the Django template filter `escapejs`
Django
-------------------------------------------+--------------------------
Reporter: phithon | Owner: nobody
Type: New feature | Status: new
Component: Template system | Version: 3.0
Severity: Normal | Keywords: escapejs
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+--------------------------
Hi, I recently encountered a problem that is related to Django, I think I
should report and discuss with you.
As I know, `escapejs` is a helpful template filter which can protect us
from XSS attack in Javascript string like this:
{{{
<script>
function example() {
query = '{{ request.GET.q | escapejs }}';
}
</script>
}}}
But there is usually a situation, as time goes on, someone thinks this
function is not used anymore and comments it out:
{{{
<script>
/*
function example() {
query = '{{ request.GET.q | escapejs }}';
}
*/
</script>
}}}
Oops, A XSS vulnerability is introduced. The attackers can trigger
arbitrary javascript execution by the request
{{{http://example.com/?q=*/(alert(1))/*}}}
It's not a Django security bug but I also suggest making the `/` and `*`
escaped in the `escapejs` filter.
--
Ticket URL: <https://code.djangoproject.com/ticket/31466>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Component: Template system | Version: 3.0
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Phithon):
* owner: nobody => Phithon
* status: new => assigned
Comment:
PR: https://github.com/django/django/pull/12717
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:1>
Django
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
I'm afraid this must be classified in programming errors, for which Django
cannot help. The `escapejs` filter has absolutely no way to detect if it
is used in commented code. In your example, it only receives the
`request.GET.q` content, not the code around it. I'm suggesting to `won't
fix` that issue, but I'll let a second triager confirm it.
Also please note that security issues should be privately sent to
secu...@djangoproject.com and never on public issue trackers.
https://docs.djangoproject.com/en/stable/internals/security/#reporting-
security-issues
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:2>
Django
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Phithon):
Replying to [comment:2 Claude Paroz]:
> I'm afraid this must be classified in programming errors, for which
Django cannot help. The `escapejs` filter has absolutely no way to detect
if it is used in commented code. In your example, it only receives the
`request.GET.q` content, not the code around it. I'm suggesting to `won't
fix` that issue, but I'll let a second triager confirm it.
>
> Also please note that security issues should be privately sent to
secu...@djangoproject.com and never on public issue trackers.
> https://docs.djangoproject.com/en/stable/internals/security/#reporting-
security-issues
I don't think it is a security issue, it is a security-related proposal
that works for some bad programming practices. Only two characters added
in escapejs process, the cost is very small.
Here is a reference to Secure by default policy
https://en.wikipedia.org/wiki/Secure_by_default.
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:3>
Django
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:4>
Django
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
Are you aware that in the example you provided, the `\*` and `*/` parts
are **not** passed to `escapejs`?
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:5>
Django
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Component: Template system | Version: 3.0
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* status: assigned => closed
* resolution: => wontfix
Comment:
Replying to [comment:5 Claude Paroz]:
> Are you aware that in the example you provided, the `\*` and `*/` parts
are **not** passed to `escapejs`?
They pass `q=*/(alert(1))/*` so in a clever way we end with a valid JS:
{{{
<script>
/*
function example() {
query = '*/(alert(1))/*';
}
*/
</script>
}}}
Replying to [ticket:31466 Phithon]:
> Oops, A XSS vulnerability is introduced. The attackers can trigger
arbitrary javascript execution by the request
`escapejs` **does not** make the string safe for use in HTML or JavaScript
template literals, see
[https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#escapejs
documentation]. It only protects you from syntax errors when using
templates to generate JavaScript/JSON. I agree with Claude.
See related #29055.
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:6>
Django
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: closed
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Phithon):
Hi, thanks for your reply.
In my option, the document and former ticket are talking about "HTML or
JavaScript template literals", but the current context is "JavaScript
string", seems like a bit different.
Anyway, this ticket can help people who have bad programming practices
although it was closed.
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:7>