#34514: `firstof` tag do not escapes variables defined in `wth` tag
-------------------------------------+-------------------------------------
Reporter: Алексей | Owner: nobody
Поклонский |
Type: Bug | Status: new
Component: Template | Version: 4.0
system | Keywords: firstof, with,
Severity: Normal | templates
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
django version: 4.0.1
Template snippet example:
{{{
{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}
}}}
Renders with:
{{{
def index(request):
return render(request, 'polls/index.html')
}}}
Rendered result is:
{{{
<script>alert('XSS');</script>
}}}
Expected output is:
{{{
<script>alert('XSS');</script>
}}}
In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
docs] you noted that `firstof` will escape variables, but it does not
escape them as you can see. And also it does not escape passed string
literals. For example:
{{{
{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
}}}
Will result in the same not escaped html with XSS.
Related #17906
--
Ticket URL: <https://code.djangoproject.com/ticket/34514>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070187b44a9298-13023c5f-b27f-44fa-a264-7e731e1fa278-000000%40eu-central-1.amazonses.com.
