Re: [Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+
 Reporter:  djbug  |Owner:  nobody
 Type:  Uncategorized  |   Status:  closed
Component:  Documentation  |  Version:  1.7
 Severity:  Normal |   Resolution:  fixed
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by Carl Meyer ):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"d16bc7f0e46785bcf422310c41d20b25c0112051"]:
 {{{
 #!CommitTicketReference repository=""
 revision="d16bc7f0e46785bcf422310c41d20b25c0112051"
 Fixed #23561 -- Corrected a security doc example that requires an unquoted
 HTML attribute.

 Thanks "djbug" for the report.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.c9f75b918e63b3a8c87e8fd7aa7e6bc3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+
 Reporter:  djbug  |Owner:  nobody
 Type:  Uncategorized  |   Status:  closed
Component:  Documentation  |  Version:  1.7
 Severity:  Normal |   Resolution:  fixed
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by Carl Meyer ):

 In [changeset:"d7bc30ffd26ebbe6d98fcd08d9120f44702d2a62"]:
 {{{
 #!CommitTicketReference repository=""
 revision="d7bc30ffd26ebbe6d98fcd08d9120f44702d2a62"
 [1.7.X] Fixed #23561 -- Corrected a security doc example that requires an
 unquoted HTML attribute.

 Thanks "djbug" for the report.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.f6850b93c8e7561dd13bf1a5d826a346%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+
 Reporter:  djbug  |Owner:  nobody
 Type:  Uncategorized  |   Status:  new
Component:  Documentation  |  Version:  1.7
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by carljm):

 * component:  Uncategorized => Documentation
 * stage:  Unreviewed => Accepted


Comment:

 It looks to me like those quotes were added in 9432f1, probably without
 consideration that adding them changed that particular example
 significantly.

 I'm not aware of a browser vulnerability that would make the shown code
 (with quoted attributes and autoescaping on) vulnerable.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.2a5fbdb06571e1d4b9415bee4ce909fc%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+--
 Reporter:  djbug  |Owner:  nobody
 Type:  Uncategorized  |   Status:  new
Component:  Uncategorized  |  Version:  1.7
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Description changed by djbug:

Old description:

> According to https://docs.djangoproject.com/en/1.7/topics/security/
>
> ...
>
> If var is set to 'class1 onmouseover=javascript:func()', this can result
> in unauthorized JavaScript execution, depending on how the browser
> renders imperfect HTML.
>
> If `var` is escaped and the class attribute is in quotes, how can JS
> execution happen?
>
> The previous version of docs i.e.
> https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
> have quotes around `{{var}}` and that made sense as you switch out of the
> attribute context with many characters. Is this a typo in the docs for
> 1.7 or is it implied that the invalid characters in class name *may*
> cause a security exception in some obscure browser that might close the
> class context. Is this a known security issue in any browser?

New description:

 According to https://docs.djangoproject.com/en/1.7/topics/security/

 ...

 If var is set to 'class1 onmouseover=javascript:func()', this can result
 in unauthorized JavaScript execution, depending on how the browser renders
 imperfect HTML.

 If `var` is escaped and the class attribute is in quotes, how can JS
 execution happen?

 The previous version of docs i.e.
 https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
 have quotes around `{{var}}` and that made sense (i.e. unquoted attributes
 are unsafe). However in v 1.7, is this a typo in the or is it implied that
 the invalid characters in class name *may* cause a security exception in
 some obscure browser that might close the class context. Is this a known
 security issue in any browser?

--

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.2b639fc5140117b2a762a2e1a4dfa986%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+--
 Reporter:  djbug  |Owner:  nobody
 Type:  Uncategorized  |   Status:  new
Component:  Uncategorized  |  Version:  1.7
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by djbug):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Old description:

> According to https://docs.djangoproject.com/en/1.7/topics/security/
>
> ...
>
> If var is set to 'class1 onmouseover=javascript:func()', this can result
> in unauthorized JavaScript execution, depending on how the browser
> renders imperfect HTML.
>
> If `var` is escaped and the class attribute is in quotes, how can JS
> execution happen?
>
> The previous version of docs i.e.
> https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
> have quotes around `{{var}}` and that made sense as you switch out of the
> attribute context with many characters. Is this a typo in the docs for
> 1.7 ?

New description:

 According to https://docs.djangoproject.com/en/1.7/topics/security/

 ...

 If var is set to 'class1 onmouseover=javascript:func()', this can result
 in unauthorized JavaScript execution, depending on how the browser renders
 imperfect HTML.

 If `var` is escaped and the class attribute is in quotes, how can JS
 execution happen?

 The previous version of docs i.e.
 https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
 have quotes around `{{var}}` and that made sense as you switch out of the
 attribute context with many characters. Is this a typo in the docs for 1.7
 or is it implied that the invalid characters in class name *may* cause a
 security exception in some obscure browser that might close the class
 context. Is this a known security issue in any browser?

--

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.3a521efa9c2fec643f98ec425b653ded%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #23561: Can unauthorized JS execution happen in quoted & escaped HTML class name?

2014-09-26 Thread Django 
#23561: Can unauthorized JS execution happen in quoted & escaped HTML class 
name?
---+
 Reporter:  djbug  |  Owner:  nobody
 Type:  Uncategorized  | Status:  new
Component:  Uncategorized  |Version:  1.7
 Severity:  Normal |   Keywords:
 Triage Stage:  Unreviewed |  Has patch:  0
Easy pickings:  0  |  UI/UX:  0
---+
 According to https://docs.djangoproject.com/en/1.7/topics/security/

 ...

 If var is set to 'class1 onmouseover=javascript:func()', this can result
 in unauthorized JavaScript execution, depending on how the browser renders
 imperfect HTML.

 If `var` is escaped and the class attribute is in quotes, how can JS
 execution happen?

 The previous version of docs i.e.
 https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't
 have quotes around `{{var}}` and that made sense as you switch out of the
 attribute context with many characters. Is this a typo in the docs for 1.7
 ?

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/048.0d3bb62ee95e5751f520990b7c733450%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.