New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerable #5
Comments
Good point, let's fix that. |
You can do this by rendering via Django templates, jinja2, or |
The TurboStream and TurboFrame classes already have template classes/methods for handling template-based content, so you would likely do something like:
So rendering in such cases is fine, as the HTML string is already handled with a Django templates. In such cases we can pass this content through mark_safe as it can be assumed to have already been handled by the Django template engine. |
Fixed in 0.0.39. |
The code in
renderers.py
uses f-strings to template HTML with HTML-escaping incoming strings. This means user content being used in a response could be reflected and rendered in the browser.The text was updated successfully, but these errors were encountered: