Re: [Django] #34514: `firstof` and `cycle` tags do not escapes variables defined in `wth` tag (was: `firstof` tag do not escapes variables defined in `wth` tag)
Django
-------------------------------------+-------------------------------------
Reporter: Алексей Поклонский | Owner: nobody
Type: Bug | Status: closed
Component: Template system | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: firstof, with, | Triage Stage:
templates | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> django version: 4.0.1
> Template snippet example:
>
> {{{
> {% with var0="<script>alert('XSS');</script>" var1="12" %}
> {% firstof var0 "123" var1 %}
> {% endwith %}
> }}}
>
> Renders with:
>
> {{{
> def index(request):
> return render(request, 'polls/index.html')
> }}}
>
> Rendered result is:
>
> {{{
> <script>alert('XSS');</script>
> }}}
>
> Expected output is:
>
> {{{
> <script>alert('XSS');</script>
> }}}
>
> In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
> docs] you noted that `firstof` will escape variables, but it does not
> escape them as you can see. And also it does not escape passed string
> literals. For example:
>
> {{{
> {% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
> }}}
>
> Will result in the same not escaped html with XSS.
>
> Related #17906
New description:
django version: 4.0.1
Template snippet example:
{{{
{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}
}}}
Renders with:
{{{
def index(request):
return render(request, 'polls/index.html')
}}}
Rendered result is:
{{{
<script>alert('XSS');</script>
}}}
Expected output is:
{{{
<script>alert('XSS');</script>
}}}
In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
docs] you noted that `firstof` will escape variables, but it does not
escape them as you can see. And also it does not escape passed string
literals. For example:
{{{
{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
}}}
Will result in the same not escaped html with XSS.
The same problem with the `cycle` tag:
{{{
{% with var0="<script>alert('XSS');</script>" %}
{% for var2 in list_var %}
{% cycle var0 "123" %}
{% endfor %}
{% endwith %}
}}}
Where ''list_var'' is just a context-defined list variable.
Related #17906
--
Comment (by Алексей Поклонский):
The same problem with the `cycle` tag.
--
Ticket URL: <https://code.djangoproject.com/ticket/34514#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.