Insecure use of 'format_html()' function
109 for language in data:
110 name, translators = language.popitem()
111 language_outputs.append(
112 format_html_or_plain(113 language_format,
114 language=name,
115 translators=format_html_or_plain_join(Insecure use of 'format_html()' function
872
873 def get_plural_label(self, idx):
874 """Return label for plural form."""
875 return format_html( 876 PLURAL_TITLE,
877 name=self.get_plural_name(idx),
878 examples=", ".join(self.examples.get(idx, [])),Insecure use of 'format_html()' function
44 key: format_html("<code>{value}</code>", value=value)
45 for key, value in kwargs.items()
46 }
47 return format_html(escape(format_string), **safe_kwargs) 48
49
50def format_html_error_list(errors: Iterable[str]) -> SafeString:Insecure use of 'format_html()' function
83 params["image"] = staticfiles_storage.url("auth/" + params["image"])
84 params["icon"] = format_html(IMAGE_SOCIAL_TEMPLATE, separator=separator, **params)
85
86 return format_html(SOCIAL_TEMPLATE, separator=separator, **params)87
88
89def get_auth_name(auth: str):Insecure use of 'format_html()' function
81
82 if not params["image"].startswith("http"):
83 params["image"] = staticfiles_storage.url("auth/" + params["image"])
84 params["icon"] = format_html(IMAGE_SOCIAL_TEMPLATE, separator=separator, **params)85
86 return format_html(SOCIAL_TEMPLATE, separator=separator, **params)
87
Description
Django's format_html() function can be used to safely insert untrusted user data into HTML.
However, passing an already formatting string to format_html() has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.
Bad practice
format_html(f"<b>{user_input}</b>") # `user_input` is not being sanitized!
Recommended
format_html("<b>{}</b>", user_input) # This can safely be used.
References:
format_html- OWASP Top 10 2021 Category A03 - Injection
- CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')