Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix XSS caused by disabled autoescaping in the default DRF Browsable API view templates #6330
referenced this pull request
Dec 1, 2018
Hi @zyv. I need to dig in to this more fully, but I'm not 100% that the test demonstrates the correct behavior. Basically, this test ensures that
I think what we need instead are tests for the browsable API templates. By default, the browsable API should escape links once. And from there, we would then need to fix the templates and how/when it autoescapes.
Again, I'm not 100% on what the correct answer here is - I'd need to look at the base template and
Hi @rpkilby, you are right that my test doesn't demonstrate the correct expected behaviour of
Anyways, I've now finally managed to find some time to look into it, and have fixed the test, as well as (hopefully) found a solution to the problem. I would appreciate if you could have a look at my new commits. A more detailed explanation of what/why they do follows:
I believe that the initial author of
I have changed the function to correctly mark final string as safe and also got rid of the crazy escaping logic, so that hopefully it is now clearer what the function does (and what it does not).