#31466: A potential security issue in the Django template filter `escapejs`
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Component: Template system | Version: 3.0
Severity: Normal | Resolution:
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Comment (by Phithon):
Replying to [comment:2 Claude Paroz]:
> I'm afraid this must be classified in programming errors, for which
Django cannot help. The `escapejs` filter has absolutely no way to detect
if it is used in commented code. In your example, it only receives the
`request.GET.q` content, not the code around it. I'm suggesting to `won't
fix` that issue, but I'll let a second triager confirm it.
>
> Also please note that security issues should be privately sent to
secur...@djangoproject.com and never on public issue trackers.
> https://docs.djangoproject.com/en/stable/internals/security/#reporting-
security-issues
I don't think it is a security issue, it is a security-related proposal
that works for some bad programming practices. Only two characters added
in escapejs process, the cost is very small.
Here is a reference to Secure by default policy
https://en.wikipedia.org/wiki/Secure_by_default.
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.24cb92bb54e88862295c7793ff205048%40djangoproject.com.
