37 icon_file = os.path.join(settings.STATIC_ROOT, "icons", name)
38 try:
39 with open(icon_file) as handle:
40 CACHE[name] = mark_safe(handle.read()) # noqa: S30841 except OSError:
42 report_error(cause="Could not load icon")
43 return ""
62 part, user.get_absolute_url(), user.get_visible_name()
63 )
64 text = "".join(parts)
65 return mark_safe(MARKDOWN(text)) # noqa: S308
1189def urlize_ugc(value, autoescape=True):
1190 """Convert URLs in plain text into clickable links."""
1191 html = urlize(value, nofollow=True, autoescape=autoescape)
1192 return mark_safe( # noqa: S3081193 html.replace('rel="nofollow"', 'rel="ugc" target="_blank"')1194 )1195
1196
1197def get_breadcrumbs(path_object, flags: bool = True):
1120 percent = 99
1121 else:
1122 percent = int(number)
1123 return mark_safe( # noqa: S3081124 pgettext("Translated percents", "%(percent)s%%")1125 % {"percent": intcomma(percent)}1126 )1127
1128
1129@register.filter
350 output.append(escape(char))
351 # Trailing tags
352 output.append("".join(tags[len(value)]))
353 return mark_safe("".join(output)) # noqa: S308 354
355
356@register.inclusion_tag("snippets/format-translation.html")
235 name,
236 format_html(
237 'data-value="{}"',
238 mark_safe( # noqa: S308 239 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 240 ), 241 ),
242 char,
243 )
170 name,
171 format_html(
172 'data-value="{}"',
173 mark_safe( # noqa: S308 174 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 175 ), 176 ),
177 char,
178 )
107 self.instance.configuration["cookie_name"],
108 )
109 ),
110 "css_selector": mark_safe( # noqa: S308111 json.dumps(112 self.instance.configuration["css_selector"],113 )114 ),115 },
116 )
117 )
102 )
103 )
104 ),
105 "cookie_name": mark_safe( # noqa: S308106 json.dumps(107 self.instance.configuration["cookie_name"],108 )109 ),110 "css_selector": mark_safe( # noqa: S308
111 json.dumps(
112 self.instance.configuration["css_selector"],
94 )
95 )
96 ),
97 "url": mark_safe( # noqa: S308 98 json.dumps( 99 os.path.join(100 settings.LOCALIZE_CDN_URL,101 self.instance.state["uuid"],102 )103 )104 ),105 "cookie_name": mark_safe( # noqa: S308
106 json.dumps(
107 self.instance.configuration["cookie_name"],
86 {
87 # `mark_safe(json.dumps(` is NOT safe in HTML files. Only JS.
88 # See `django.utils.html.json_script`
89 "languages": mark_safe( # noqa: S308 90 json.dumps( 91 sorted( 92 translation.language.code 93 for translation in translations 94 ) 95 ) 96 ), 97 "url": mark_safe( # noqa: S308
98 json.dumps(
99 os.path.join(
28 url = link.get("src")
29 if url.startswith("/"):
30 link.set("src", get_site_url(url))
31 return mark_safe( # noqa: S30832 etree.tostring(33 tree.getroot(), pretty_print=True, method="html", encoding="unicode"34 )35 )
Use of mark_safe()
may expose cross-site scripting (XSS) vulnerabilities and should be reviewed.
mark_safe
explicitly marks a string as safe for (HTML) output purposes.
Django auto-escapes all output from template variable tags unless explicitly told not to. Use of mark_safe()
function implies that the parameter is safe for client-side output without Django's automatic string escaping. It's a legitimate way of defining strings that are intended to be interpreted as HTML.
Using mark_safe()
on an internally generated string is okay but becomes a security risk if used on unchecked user input.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to attention. Please make sure that the input string is trusted. If the occurrences don't seem to be valid, please feel free to ignore them.
When possible, use formathtml. It is safe as all arguments are passed through conditionalescape()
Bad practice
mark_safe("<b>%s</b> %s" % (user_input))
Recommended
format_html("<b>%s</b>, user_input)