In my experience, misuse of mark_safe() — i.e. marking stuff safe which *isn’t* actually safe (e.g. HTML from a rich text input) — is one of the biggest causes of XSS vulnerabilities in Django projects.
The docs warn to be careful, but unfortunately I think Django devs have just got too used to mark_safe() being *the way* to insert HTML in a template. And it’s easy for something that was safe when it was authored (e.g. calling mark_safe() on a hard-coded string) to be copied / repurposed / adapted into a case which is no longer be safe (e.g. that string replaced with a user-provided value). Some other frameworks use scary sounding names to help reinforce that there are dangers around similar features, and that this isn’t something you should use in everyday work — e.g. React’s dangerouslySetInnerHTML. Relatedly, this topic <https://groups.google.com/d/msg/django-developers/c4fa2pOcHxo/EtT942WnyiAJ> suggested making it more explicit that mark_safe() refers to being safe for use in *HTML* contexts (rather than JS, CSS, SQL, etc). Combining the two, it would be great if Django could rename mark_safe() to dangerously_trust_html(), |safe to |dangerously_trust_html, @csrf_exempt to @dangerously_csrf_exempt, etc. Developers who know what they’re doing with these could then be encouraged to create suitable wrappers which handle their use case safely internally — e.g.: @register.filter def sanitize_and_trust_html(value): # Safe because we sanitize before trusting return dangerously_trust_html(bleach.clean(value)) -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/e0005e9f-765f-42a9-9c78-323e702b6784%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
