Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
37 icon_file = os.path.join(settings.STATIC_ROOT, "icons", name)
38 try:
39 with open(icon_file) as handle:
40 CACHE[name] = mark_safe(handle.read()) # noqa: S30841 except OSError:
42 report_error(cause="Could not load icon")
43 return ""Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
62 part, user.get_absolute_url(), user.get_visible_name()
63 )
64 text = "".join(parts)
65 return mark_safe(MARKDOWN(text)) # noqa: S308Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
1189def urlize_ugc(value, autoescape=True):
1190 """Convert URLs in plain text into clickable links."""
1191 html = urlize(value, nofollow=True, autoescape=autoescape)
1192 return mark_safe( # noqa: S3081193 html.replace('rel="nofollow"', 'rel="ugc" target="_blank"')1194 )1195
1196
1197def get_breadcrumbs(path_object, flags: bool = True):Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
1120 percent = 99
1121 else:
1122 percent = int(number)
1123 return mark_safe( # noqa: S3081124 pgettext("Translated percents", "%(percent)s%%")1125 % {"percent": intcomma(percent)}1126 )1127
1128
1129@register.filterUse of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
350 output.append(escape(char))
351 # Trailing tags
352 output.append("".join(tags[len(value)]))
353 return mark_safe("".join(output)) # noqa: S308 354
355
356@register.inclusion_tag("snippets/format-translation.html")Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
235 name,
236 format_html(
237 'data-value="{}"',
238 mark_safe( # noqa: S308 239 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 240 ), 241 ),
242 char,
243 )Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
170 name,
171 format_html(
172 'data-value="{}"',
173 mark_safe( # noqa: S308 174 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 175 ), 176 ),
177 char,
178 )Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
107 self.instance.configuration["cookie_name"],
108 )
109 ),
110 "css_selector": mark_safe( # noqa: S308111 json.dumps(112 self.instance.configuration["css_selector"],113 )114 ),115 },
116 )
117 )Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
102 )
103 )
104 ),
105 "cookie_name": mark_safe( # noqa: S308106 json.dumps(107 self.instance.configuration["cookie_name"],108 )109 ),110 "css_selector": mark_safe( # noqa: S308
111 json.dumps(
112 self.instance.configuration["css_selector"],Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
94 )
95 )
96 ),
97 "url": mark_safe( # noqa: S308 98 json.dumps( 99 os.path.join(100 settings.LOCALIZE_CDN_URL,101 self.instance.state["uuid"],102 )103 )104 ),105 "cookie_name": mark_safe( # noqa: S308
106 json.dumps(
107 self.instance.configuration["cookie_name"],Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
86 {
87 # `mark_safe(json.dumps(` is NOT safe in HTML files. Only JS.
88 # See `django.utils.html.json_script`
89 "languages": mark_safe( # noqa: S308 90 json.dumps( 91 sorted( 92 translation.language.code 93 for translation in translations 94 ) 95 ) 96 ), 97 "url": mark_safe( # noqa: S308
98 json.dumps(
99 os.path.join(Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
28 url = link.get("src")
29 if url.startswith("/"):
30 link.set("src", get_site_url(url))
31 return mark_safe( # noqa: S30832 etree.tostring(33 tree.getroot(), pretty_print=True, method="html", encoding="unicode"34 )35 )
Description
Use of mark_safe() may expose cross-site scripting (XSS) vulnerabilities and should be reviewed.
mark_safe explicitly marks a string as safe for (HTML) output purposes.
Django auto-escapes all output from template variable tags unless explicitly told not to. Use of mark_safe() function implies that the parameter is safe for client-side output without Django's automatic string escaping. It's a legitimate way of defining strings that are intended to be interpreted as HTML.
Using mark_safe() on an internally generated string is okay but becomes a security risk if used on unchecked user input.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to attention. Please make sure that the input string is trusted. If the occurrences don't seem to be valid, please feel free to ignore them.
When possible, use formathtml. It is safe as all arguments are passed through conditionalescape()
Bad practice
mark_safe("<b>%s</b> %s" % (user_input))
Recommended
format_html("<b>%s</b>, user_input)