Is the value attribute of an HTML input tag a reflected cross-site scripting risk?

Using Django
1

I’d like to keep my question intentionally simple.

I have an HTML input field rendered from a template using a forms.ModelForm class from forms.py. This input field is a search box.

When someone searches for: javascript:alert(1);, this gets outputted in the HTML of the page. See below:

<form method="GET" id="searchForm">
   <input type="text" name="q" value="javascript:alert(1);" maxlength="100" 
        id="searchQuery" placeholder="Search..." autocomplete="off" required="">
</form>

My simple question is, is this a reflected cross-site scripting (XSS) risk or vulnerability?

Should I attempt to override the clean_q(self): method and escape, escapejs, or would this SafeString matter at all?

More context

class SiteSearchForm(forms.ModelForm):
    class Meta:
        model = Search
        fields = ('q',)

In my template, it’s rendered by:

{{ search_form.q }}

where q is on a model:

q = models.CharField(max_length=100)
2

Yes.

Anytime you render user-supplied input, you need to assume that it could be a vector for attack.

For example, let’s say that instead of submitting javascript:alert(1), the user submitted something like this (greatly simplified):
"><script>javascript:alert(1)</script><input type="text" name="qq"
Then you may end up rendering:

<input type="text" name="q" value="">
<script>javascript:alert(1)</script>
<input type="text" name="qq" maxlength="100" id="searchQuery" placeholder="Search..." autocomplete="off" required="">

Which as you can see can be a vector for attack.

Bottom line? You can never assume any user-supplied data is “safe”.