File .deepsource.toml
not found in the default branch of the repository root. Please refer to the docs.
mark_safe
detected BAN-B30834 ]
35 )
36
37 return mark_safe(38 f"""<script type="module" src="/static/{manifest['index.html']['file']}"></script>39 <link rel="stylesheet" type="text/css" href="/static/{manifest['index.html']['css'][0]}" />40 {imports_files}"""41 )
Use of mark_safe()
may expose cross-site scripting (XSS) vulnerabilities and should be reviewed.
mark_safe
explicitly marks a string as safe for (HTML) output purposes.
Django auto-escapes all output from template variable tags unless explicitly told not to. Use of mark_safe()
function implies that the parameter is safe for client-side output without Django's automatic string escaping. It's a legitimate way of defining strings that are intended to be interpreted as HTML.
Using mark_safe()
on an internally generated string is okay but becomes a security risk if used on unchecked user input.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to attention. Please make sure that the input string is trusted. If the occurrences don't seem to be valid, please feel free to ignore them.
When possible, use formathtml. It is safe as all arguments are passed through conditionalescape()
mark_safe("<b>%s</b> %s" % (user_input))
format_html("<b>%s</b>, user_input)