Insecure use of format_html detected PY-S0901
Security
Major
a03
cwe-79
sans top 25
owasp top 10
Django's format_html() function can be used to safely insert untrusted user data into HTML.
However, passing an already formatting string to format_html() has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.
Bad practice
format_html(f"<b>{user_input}</b>") # `user_input` is not being sanitized!
Recommended
format_html("<b>{}</b>", user_input) # This can safely be used.
References:
format_html- OWASP Top 10 2021 Category A03 - Injection
- CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')