#23561: Can unauthorized JS execution happen in quoted & escaped HTML class name? -------------------------------+-------------------------------------- Reporter: djbug | Owner: nobody Type: Uncategorized | Status: new Component: Uncategorized | Version: 1.7 Severity: Normal | Resolution: Keywords: | Triage Stage: Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+-------------------------------------- Changes (by djbug):
* needs_better_patch: => 0 * needs_tests: => 0 * needs_docs: => 0 Old description: > According to https://docs.djangoproject.com/en/1.7/topics/security/ > > <style class="{{ var }}">...</style> > > If var is set to 'class1 onmouseover=javascript:func()', this can result > in unauthorized JavaScript execution, depending on how the browser > renders imperfect HTML. > > If `var` is escaped and the class attribute is in quotes, how can JS > execution happen? > > The previous version of docs i.e. > https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't > have quotes around `{{var}}` and that made sense as you switch out of the > attribute context with many characters. Is this a typo in the docs for > 1.7 ? New description: According to https://docs.djangoproject.com/en/1.7/topics/security/ <style class="{{ var }}">...</style> If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML. If `var` is escaped and the class attribute is in quotes, how can JS execution happen? The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser? -- -- Ticket URL: <https://code.djangoproject.com/ticket/23561#comment:1> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.3a521efa9c2fec643f98ec425b653ded%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.