Security Considerations Oversight #2174
Labels
Comments
|
input value seems like a good idea |
|
We might as well add extra text to mention that case instead of changing the
example. Better to sensitivize people on this issue than contriving the example
which may make people think that Jinja's HTML escaping + quoted attributes
fixes all XSS.
…On Wed, Feb 08, 2017 at 08:35:40AM -0800, Adrian wrote:
input value seems like a good idea
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#2174 (comment)
|
|
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Not a bug report, per se, but still should be noted. On the Security Considerations page, after describing the XSS remediation that Jinja2 provides, it describes the one caveat that unquoted html attributes are still vulnerable. It follows with a "correct" example:
<a href="{{ href }}">the text</a>However that example is also vulnerable to XSS. An attacker could still set
hreftojavascript:alert(1)to inject javascript into the tag (although it would require a user to click the link).Perhaps the example should use a different quoted attribute as the example, like a default value for an input field or something of the like.
The text was updated successfully, but these errors were encountered: