Re: [Django] #17419: JSON template tag

Tue, 30 Dec 2014 06:17:42 -0800 

#17419: JSON template tag
-----------------------------------+-------------------------------------
     Reporter:  lau                |                    Owner:  aaugustin
         Type:  New feature        |                   Status:  closed
    Component:  Template system    |                  Version:  master
     Severity:  Normal             |               Resolution:  wontfix
     Keywords:  json template tag  |             Triage Stage:  Accepted
    Has patch:  1                  |      Needs documentation:  0
  Needs tests:  0                  |  Patch needs improvement:  0
Easy pickings:  0                  |                    UI/UX:  0
-----------------------------------+-------------------------------------

Comment (by jrief):

 Sorry for adding my two cents to this ticket, 3 years after it has been
 set to ''wontfix'', but for real projects such a filter still is an issue
 and often required. And since there is no solution out-of-the-box,
 programmers start to implement their own stuff, which then is vulnerable
 to exactly the XSS attacks you're referring to. For instance here:
 https://github.com/divio/django-
 cms/blob/develop/cms/templatetags/cms_js_tags.py#L14.

 Therefore I started to rethink about this problem and came to a solution
 which seems to be secure; at least I was unable to inject malicious code
 into this JSON filter. Please have a look at my attached implementation.

 One thing to note here: If someone pushes data through this filter marked
 as safe (using {{{mark_safe}}}), then of course XSS attacks are possible,
 but this is intentional misbehavior if applied to non-validated content.
 All other Python lists, dicts and strings (in my opinion) are safe when
 pushed through this filter.

--
Ticket URL: <https://code.djangoproject.com/ticket/17419#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/061.bf9fee7c1215a0c761d709679c34548a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to