Hacker News new | ask | show | jobs
by gynvael 445 days ago
Thanks! I'll pass this to the author.

Out of curiosity I've started looking in Django docs (I'm more of a flask person myself), and they seems to confirm what you're saying. More to the point, the `strings` are the main issue. The default autoescape actually encodes ' and " as HTML entities, but doesn't encode a backslash, so leaving a \ at end of a ' or " string would escape the string ending - this would be exploitable if the attacker controls two strings of the same "type' in a row.

I guess this is the proper way to do it: https://docs.djangoproject.com/en/5.1/ref/templates/builtins...
2 comments
GICodeWarrior 445 days ago
If you're interested to explore lots of XSS edge cases, I've found this CTF to be enjoyable.

https://alf.nu/alert1

link
Kwpolska 445 days ago
All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.
link
GICodeWarrior 445 days ago
Simple JSON encoding alone is not sufficient if you put the output into a <script> tag.

<script>const user_input = "</script><script>alert(1)//"; ...

link