Sri: Of course you must make sure there's no XSS. You also must make sure there's no remote code execution, and that your memcached servers aren't running unauthenticated on a publicly exposed port.
> If your website has a XSS vulnerability, there can be no CSRF protection. > This is because XSS makes it possible to steal the csrf as well as session > cookie. If there's an XSS vulnerability, it doesn't matter AT ALL that the CSRF cookie can be stolen, because an XSS can be used to directly submit malicious forms, using the existing session and CSRF cookies, even if they're both set to httpOnly. [1] The browser submits them with every request to your domain. > this isn't sufficient to prevent XSS. For example, if you insert dynamic > content as part of a html attribute, Wrong. What you meant was "as part of an UNQUOTED html attribute". As the security document very clearly says, DON'T EVER DO THAT. It's the first thing right at the top there. I'll link to it, in case anyone missed that. https://docs.djangoproject.com/en/dev/topics/security/#cross-site-scripting-xss-protection Always use quotes around your HTML attributes. If you do that, inserting Django's escaped content into HTML attributes is safe. If you use unquoted HTML attributes, you should go fix your sites right now. >or as part of a javascript string - The best way to avoid XSS in those situations is to NEVER EVER do that. Use Django's XSS prevention for HTML, and serialize javascript values as JSON. You probably want to load them asynchronously, so your javascript files can be cached (you weren't writing raw javascript directly into your HTML, were you?)[2]. Serialize the raw Python data structures directly into JSON, rather than constructing JSON by hand. Python has a good JSON serializer, and Django includes one if you are using an old version of Python. As you said, Django's HTML escaping doesn't escape Javascript. That's what JSON is for. And of course, always use a JSON parser to parse the JSON (built into most modern browsers and javascript frameworks), rather than doing eval(). > This isn't Django's limitation though. Templates cannot figure out the > context in which the author is inserting dynamic content. So, in a nutshell, > you should be careful Yep. It's always important to be careful. Sorry for the extensive reply, but security is such a rabbit hole, it's easy to jump from one topic to another till you're talking about something completely different. Best, -Paul [1] Django 1.4 sets the session cookie to httpOnly by default, making it much harder to steal via XSS. [2] The ability to write javascript directly into HTML will eventually go away, when CSP gains broad acceptance. This will alleviate most XSS problems, but requires a more strict separation of content from scripting. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
