Page MenuHomePhabricator
Create Task
Maniphest T288539

Add `force_escape` filter to Django template translation content
Closed, ResolvedPublic
Actions

Description

In T273020#7271039, @sbassett wrote:

Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13

[...snip...]

For the application's node/js/vue code, I ran njsscan (default rule set) and semgrep (javascript, ci, security-audit rule, generic, contrib sets) static analysis tools. The following are the only results I found potentially worthy of review:

FileLine(s)IssueRisk
vue/templates/vue/base.html20Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using force_escape to explicitly escape a transalted text. Medium
vue/templates/vue/main.html9Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using force_escape to explicitly escape a transalted text. Medium

From https://docs.djangoproject.com/en/2.2/topics/i18n/translation/#internationalization-in-template-code:

WARNING: Translated strings will not be escaped when rendered in a template. This allows you to include HTML in translations, for example for emphasis, but potentially dangerous characters (e.g. ") will also be rendered unchanged.

Details

ProjectBranchLines +/-Subject
wikimedia/toolhubmain+14 -10ui: add `force_escape` filter to translated template strings
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 triaged this task as Medium priority.Aug 10 2021, 4:18 PM
bd808 created this task.
bd808 mentioned this in T273020: Security Readiness Review For Toolhub.Aug 10 2021, 6:11 PM
gerritbot added a comment.Aug 11 2021, 12:37 AM

Change 711237 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: add `force_escape` filter to translated template strings

https://gerrit.wikimedia.org/r/711237

gerritbot added a project: Patch-For-Review.Aug 11 2021, 12:37 AM
bd808 claimed this task.Aug 11 2021, 12:37 AM
bd808 moved this task from Backlog to Review on the Toolhub board.
Restricted Application added a project: User-bd808. · View Herald TranscriptAug 11 2021, 12:37 AM
gerritbot added a comment.Aug 12 2021, 6:32 PM

Change 711237 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: add `force_escape` filter to translated template strings

https://gerrit.wikimedia.org/r/711237

Maintenance_bot removed a project: Patch-For-Review.Aug 12 2021, 7:11 PM
bd808 closed this task as Resolved.Aug 13 2021, 7:54 PM
bd808 added a project: Developer-Advocacy (Jul-Sep 2021).Aug 30 2021, 10:03 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL