Re: [Django] #34514: `firstof` and `cycle` tags do not escapes variables defined in `wth` tag (was: `firstof` tag do not escapes variables defined in `wth` tag)

[Django]

#34514: `firstof` and `cycle` tags do not escapes variables defined in `wth` tag
-------------------------------------+-------------------------------------
     Reporter:  Алексей Поклонский   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  closed
    Component:  Template system      |                  Version:  4.0
     Severity:  Normal               |               Resolution:  invalid
     Keywords:  firstof, with,       |             Triage Stage:
  templates                          |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Old description:

> django version: 4.0.1
> Template snippet example:
>
> {{{
> {% with var0="<script>alert('XSS');</script>" var1="12" %}
> {% firstof var0 "123" var1 %}
> {% endwith %}
> }}}
>
> Renders with:
>
> {{{
> def index(request):
>     return render(request, 'polls/index.html')
> }}}
>
> Rendered result is:
>
> {{{
> <script>alert('XSS');</script>
> }}}
>
> Expected output is:
>
> {{{
> &lt;script&gt;alert(&#x27;XSS&#x27;);&lt;/script&gt;
> }}}
>
> In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
> docs] you noted that `firstof` will escape variables, but it does not
> escape them as you can see. And also it does not escape passed string
> literals. For example:
>
> {{{
> {% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
> }}}
>
> Will result in the same not escaped html with XSS.
>
> Related #17906

New description:

 django version: 4.0.1
 Template snippet example:

 {{{
 {% with var0="<script>alert('XSS');</script>" var1="12" %}
 {% firstof var0 "123" var1 %}
 {% endwith %}
 }}}

 Renders with:

 {{{
 def index(request):
     return render(request, 'polls/index.html')
 }}}

 Rendered result is:

 {{{
 <script>alert('XSS');</script>
 }}}

 Expected output is:

 {{{
 &lt;script&gt;alert(&#x27;XSS&#x27;);&lt;/script&gt;
 }}}

 In [https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#firstof
 docs] you noted that `firstof` will escape variables, but it does not
 escape them as you can see. And also it does not escape passed string
 literals. For example:

 {{{
 {% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}
 }}}

 Will result in the same not escaped html with XSS.

 The same problem with the `cycle` tag:

 {{{
 {% with var0="<script>alert('XSS');</script>" %}
 {% for var2 in list_var %}
 {% cycle var0 "123" %}
 {% endfor %}
 {% endwith %}
 }}}

 Where ''list_var'' is just a context-defined list variable.

 Related #17906

--

Comment (by Алексей Поклонский):

 The same problem with the `cycle` tag.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34514#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070187b857eafb-b7e81d02-8ff6-43a4-8346-474ca273364f-000000%40eu-central-1.amazonses.com.