Fix potential XSS vulnerability in break_long_headers template filter#9435
Conversation
The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
browniebroke
left a comment
browniebroke
left a comment
There was a problem hiding this comment.
Probably deserves a test
|
@browniebroke Let's prioritise getting this sorted, rather than waiting on a test case. I'd marginally prefer #9438 over this, since the line break isn't actually required however we should just go with whatever gets this resolved as quickly as possible at this point. |
|
I've identified a potential XSS vulnerability related to the break_long_headers template filter used in the rest_framework/base.html template file by APIView. This file employs the break_long_headers template filter, making the following code vulnerable to XSS attacks due to unsanitized user input: # views.py
from rest_framework.views import APIView
from rest_framework.response import Response
class Index(APIView):
def get(self, request):
username = request.GET.get('username', '')
response = Response('OK')
response['Location'] = f'https://x.com/{username}'
return response
# urls.py
from django.urls import path
urlpatterns = [ path('api/', Index.as_view()), ]I believe it is essential to register this issue as a CVE to ensure that users of earlier versions of DRF are aware and can manage this vulnerability appropriately. Your thoughts on this? |
…9444) Co-authored-by: Francesco <[email protected]>
3 participants
Description
The header input is now properly escaped before splitting and joining with
<br>tags. This prevents potential XSS attacks if the header contains unsanitized user input.This pull request addresses a potential XSS vulnerability in the
break_long_headerstemplate filter. By escaping the header input before processing, the risk of XSS attacks is mitigated.