Quantcast
Channel: Planet Python
Viewing all articles
Browse latest Browse all 22462

Django Weblog: Security advisory: simple_tag does not do auto-escaping

$
0
0

As per our documentation, the simple_tag decorator used for creating custom template tags does not run auto-escaping on its contents (up to and including Django 1.8). The team has noticed, however, that this makes it very easy to introduce XSS vulnerabilities when using simple_tag, and we have found examples of vulnerable code in the wild.

For this reason, Django 1.9 will change this behavior to improve security. In the mean time, all users are encouraged to check every usage of simple_tag in their own template tags and ensure they are not vulnerable, as per the instructions in the 1.9 release notes.


Viewing all articles
Browse latest Browse all 22462

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>