#23561: Can unauthorized JS execution happen in quoted & escaped HTML class
name?
-------------------------------+--------------------------------------
Reporter: djbug | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.7
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by djbug):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Old description:
> According to https://docs.djangoproject.com/en/1.7/topics/security/
>
> <style class="{{ var }}">...</style>
>
> If var is set to 'class1 onmouseover=javascript:func()', this can result
> in unauthorized JavaScript execution, depending on how the browser
> renders imperfect HTML.
>
> If `var` is escaped and the class attribute is in quotes, how can JS
> execution happen?
>
> The previous version of docs i.e.
> https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
> have quotes around `{{var}}` and that made sense as you switch out of the
> attribute context with many characters. Is this a typo in the docs for
> 1.7 ?
New description:
According to https://docs.djangoproject.com/en/1.7/topics/security/
<style class="{{ var }}">...</style>
If var is set to 'class1 onmouseover=javascript:func()', this can result
in unauthorized JavaScript execution, depending on how the browser renders
imperfect HTML.
If `var` is escaped and the class attribute is in quotes, how can JS
execution happen?
The previous version of docs i.e.
https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
have quotes around `{{var}}` and that made sense as you switch out of the
attribute context with many characters. Is this a typo in the docs for 1.7
or is it implied that the invalid characters in class name *may* cause a
security exception in some obscure browser that might close the class
context. Is this a known security issue in any browser?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/23561#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/063.3a521efa9c2fec643f98ec425b653ded%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
