Django XSS - can it happen in server side (views.py)?
up vote
0
down vote
favorite
My understanding is that Django has great default settings to minimize the risk that there is client size XSS attack, for example if you had <p>Hello user.username </p> in your template, where the user could type in anything they want for their username.
I don't see any references to XSS in client side Python files. Is my understanding correct that there is no major concern for a client side XSS attack?
As an example situation, the user can input anything they want into an input box. The results from that input box are stored in a database. That input is then queried from a database and sent in an email.
email = EmailMessage(
ExtendedUser.objects.filter(user__username=username)[0].email_subject,
ExtendedUser.objects.filter(user__username=username)[0].email_content,
'me@mysite.com',
['me@mysite.com']
)
email.content_subtype = "html"
email.send()
In situations like this, is there any need to strip any tags or sanitize anything anything? I'm not sure when I need to be concerned about malicious user inputted data.
EDIT: I know Django project writes "XSS attacks allow a user to inject client side scripts into the browsers of other users." I'm interested if there are any client side reasons to strip user inputted data of malicious tags.
python django xss
asked Nov 11 at 3:07
benjo
12
add a comment |
up vote
0
down vote
favorite
My understanding is that Django has great default settings to minimize the risk that there is client size XSS attack, for example if you had <p>Hello user.username </p> in your template, where the user could type in anything they want for their username.
I don't see any references to XSS in client side Python files. Is my understanding correct that there is no major concern for a client side XSS attack?
As an example situation, the user can input anything they want into an input box. The results from that input box are stored in a database. That input is then queried from a database and sent in an email.
email = EmailMessage(
ExtendedUser.objects.filter(user__username=username)[0].email_subject,
ExtendedUser.objects.filter(user__username=username)[0].email_content,
'me@mysite.com',
['me@mysite.com']
)
email.content_subtype = "html"
email.send()
In situations like this, is there any need to strip any tags or sanitize anything anything? I'm not sure when I need to be concerned about malicious user inputted data.
EDIT: I know Django project writes "XSS attacks allow a user to inject client side scripts into the browsers of other users." I'm interested if there are any client side reasons to strip user inputted data of malicious tags.
python django xss
asked Nov 11 at 3:07
benjo
12
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
My understanding is that Django has great default settings to minimize the risk that there is client size XSS attack, for example if you had <p>Hello user.username </p> in your template, where the user could type in anything they want for their username.
I don't see any references to XSS in client side Python files. Is my understanding correct that there is no major concern for a client side XSS attack?
As an example situation, the user can input anything they want into an input box. The results from that input box are stored in a database. That input is then queried from a database and sent in an email.
email = EmailMessage(
ExtendedUser.objects.filter(user__username=username)[0].email_subject,
ExtendedUser.objects.filter(user__username=username)[0].email_content,
'me@mysite.com',
['me@mysite.com']
)
email.content_subtype = "html"
email.send()
In situations like this, is there any need to strip any tags or sanitize anything anything? I'm not sure when I need to be concerned about malicious user inputted data.
EDIT: I know Django project writes "XSS attacks allow a user to inject client side scripts into the browsers of other users." I'm interested if there are any client side reasons to strip user inputted data of malicious tags.
python django xss
asked Nov 11 at 3:07
benjo
12
My understanding is that Django has great default settings to minimize the risk that there is client size XSS attack, for example if you had <p>Hello user.username </p> in your template, where the user could type in anything they want for their username.
I don't see any references to XSS in client side Python files. Is my understanding correct that there is no major concern for a client side XSS attack?
As an example situation, the user can input anything they want into an input box. The results from that input box are stored in a database. That input is then queried from a database and sent in an email.
email = EmailMessage(
ExtendedUser.objects.filter(user__username=username)[0].email_subject,
ExtendedUser.objects.filter(user__username=username)[0].email_content,
'me@mysite.com',
['me@mysite.com']
)
email.content_subtype = "html"
email.send()
In situations like this, is there any need to strip any tags or sanitize anything anything? I'm not sure when I need to be concerned about malicious user inputted data.
EDIT: I know Django project writes "XSS attacks allow a user to inject client side scripts into the browsers of other users." I'm interested if there are any client side reasons to strip user inputted data of malicious tags.
python django xss
python django xss
asked Nov 11 at 3:07
benjo
12
asked Nov 11 at 3:07
benjo
12
asked Nov 11 at 3:07
benjo
12
asked Nov 11 at 3:07
benjo
12
asked Nov 11 at 3:07
benjo
12
12
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
You should look into the documentation for %csrft token% tag
answered Nov 11 at 4:31
robotHamster
343115
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You should look into the documentation for %csrft token% tag
answered Nov 11 at 4:31
robotHamster
343115
add a comment |
up vote
0
down vote
You should look into the documentation for %csrft token% tag
answered Nov 11 at 4:31
robotHamster
343115
add a comment |
up vote
0
down vote
up vote
0
down vote
You should look into the documentation for %csrft token% tag
answered Nov 11 at 4:31
robotHamster
343115
You should look into the documentation for %csrft token% tag
answered Nov 11 at 4:31
robotHamster
343115
answered Nov 11 at 4:31
robotHamster
343115
answered Nov 11 at 4:31
robotHamster
343115
answered Nov 11 at 4:31
robotHamster
343115
343115
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245507%2fdjango-xss-can-it-happen-in-server-side-views-py%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
