Page MenuHomePhabricator

Add `force_escape` filter to Django template translation content
Closed, ResolvedPublic

Description

Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13

[...snip...]

For the application's node/js/vue code, I ran njsscan (default rule set) and semgrep (javascript, ci, security-audit rule, generic, contrib sets) static analysis tools. The following are the only results I found potentially worthy of review:

FileLine(s)IssueRisk
vue/templates/vue/base.html20Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using force_escape to explicitly escape a transalted text. Medium
vue/templates/vue/main.html9Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using force_escape to explicitly escape a transalted text. Medium

From https://docs.djangoproject.com/en/2.2/topics/i18n/translation/#internationalization-in-template-code:

WARNING: Translated strings will not be escaped when rendered in a template. This allows you to include HTML in translations, for example for emphasis, but potentially dangerous characters (e.g. ") will also be rendered unchanged.

Event Timeline

bd808 triaged this task as Medium priority.Aug 10 2021, 4:18 PM
bd808 created this task.

Change 711237 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: add `force_escape` filter to translated template strings

https://gerrit.wikimedia.org/r/711237

bd808 moved this task from Backlog to Review on the Toolhub board.

Change 711237 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: add `force_escape` filter to translated template strings

https://gerrit.wikimedia.org/r/711237