Safely Including Data for JavaScript in a Django Template

adamchainz · February 18, 2020, 4:31pm

New blog post:

https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/

cmackenziek · February 18, 2020, 5:22pm

Thank for this post! Wasn’t aware of this vulnerability, I do this in a couple of projects.

I’m sure there are many and apologies for my ignorance, but could you point out a couple of ways in which an attacker might be able to modify the contents of the mydata variable? If someone’s modifying your variables, aren’t you in deep deep trouble? (i.e. someone’s in your app server or something like that?)

Thanks!

adamchainz · February 18, 2020, 5:40pm

get_mydata is a stand-in example - it could be using the ORM. Added a clarifying sentence to the post:

If the mydata is controllable by third parties in any way, for example a user’s comment, or an API’s return data, attackers might try and use it for HTML injection.

Topic		Replies	Views
settings variable in js file Templates & Frontend	3	1337	February 20, 2022
Security risks and mitigation when using builtin templates "\|safe" properly Getting Started	1	563	February 4, 2023
Security Vulnerability in Django Templates Using Django	6	928	March 26, 2021
Django javascript template tags with injected variables Using Django	7	10351	December 10, 2020
Context data security risk? Templates & Frontend	1	247	September 21, 2022

Safely Including Data for JavaScript in a Django Template

Related Topics