/
template-blocktranslate-no-escape.yaml
46 lines (46 loc) · 1.33 KB
/
template-blocktranslate-no-escape.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rules:
- id: template-blocktranslate-no-escape
languages: [generic]
severity: INFO
message: >-
Translated strings will not be escaped when rendered in a template.
This leads to a vulnerability where translators could include malicious script tags in their translations.
Consider using `force_escape` to explicitly escape a translated text.
patterns:
- pattern-either:
- pattern: |
{% blocktranslate...%}
- pattern: |
{% blocktrans...%}
- pattern-not-inside: |
{%...filter...force_escape...%}
...
...
...
...
...
...
...
...
...
...
{%...endfilter...%}
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
- https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW