enable django autoescape for page-wrapper #187
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
autoescape is a good way to prevent xss attacks.
currently doing something like
curl "http://localhost:8000/%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
would inject the trailing url params into the template, and the system would attempt to run the script.this will provide somewhat of a stop gap, while not perfect, would prevent most of these xss attacks from succeeding by turning the trailing params into garbage.
see https://docs.djangoproject.com/en/2.0/ref/templates/language/#automatic-html-escaping