According to the Jinja2 docs Link, it provides:
powerful automatic HTML escaping system for XSS prevention
According to the Flask docs, it prevents XSS attacks by configuring Jinja2 to automatically escape all values unless explicitly told otherwise. So does Jinja2 do anything on its own to prevent XSS attacks?
by default, everything flask outputs via jinja2 is HTML escaped so that even if you display a user generated string it is guaranteed not to contain any malicious javascript/html codes.
see more here
Related
I have a RESTful API endpoint with a Mongo backend. I allow users to filter their queries using GET parameters, e.g. to get analytics for the /about page on the site:
/page-analytics?filter_by=pagePath:/about
I would like to extend this to support regular expression filters, e.g. to get analytics for all pages below /about on the site:
/page-analytics?filter_by=pagePath:/about/.*
What is the safest way to do this? Should I enclose the regex inside enclosing markers, and should I get users to pass URL escaped variables?
My requirements are as follows: firstly, I would like to write backend code to check that we have a valid regex before passing it on to my database. Secondly, I don't want the regexes passed in by users to get messed up by URL escaping.
One example of a problem: I initially started by enclosing all my regexes in slashes, like /^about/.*$/, but that doesn't work well because my server removes trailing slashes from URLs.
If anyone has any tips, I'd be very grateful.
So I am building a web tool using Django REST API and Angular JS. I have CSRF protection built into the bootstrapped template. My question is, do I have to do server validation of the POST information when submitted on a form?
I am used to doing all the validation server side, but with the CSRF stuff and how the REST API works, I don't know if I need to? For instance if I want to validate that a piece of the form is only alphanumeric etc to prevent injections and such.
Thanks.
Django does a pretty good job when it comes to validation, so SQL injection shouldn't be your concern as long as you don't write raw queries - see here for more explanations.
However, if you have specific validation that you want and that is not enforced by django (such as not allowing a user to have a password length smaller than 8), you should definitely do it on the server side, even if you are already doing it in Angular.
From what I read in Django documentation, this is what LocaleMiddleware does:
LocaleMiddleware tries to determine the user’s language preference by following this algorithm:
First, it looks for the language prefix in the requested URL. This is
only performed when you are using the i18n_patterns function in your
root URLconf. See Internationalization: in URL patterns for more
information about the language prefix and how to internationalize URL
patterns.
Failing that, it looks for a django_language key in the current user’s
session.
Failing that, it looks for a cookie.
The name of the cookie used is set by the LANGUAGE_COOKIE_NAME
setting. (The default name is django_language.)
Failing that, it looks at the Accept-Language HTTP header. This header
is sent by your browser and tells the server which language(s) you
prefer, in order by priority. Django tries each language in the header
until it finds one with available translations.
Failing that, it uses the global LANGUAGE_CODE setting.
I want my django project to detect user country and use it in choosing default language?
How to do this:
I have two ideas in mind:
Write a new middleware which to execute before LocaleMiddleware and in this middleware if there is no cookie LANGUAGE_COOKIE_NAME to set it using django GeoLocation
Replace LocaleMiddleware and instead of looking for Accept-Language HTTP header to use django GeoLocation
What do you think?
Or may be there is another easier way?
Edit: I will have an option for changing language, the problem is only when you open the website (any page, not just front page) for the first time. I'm considering now to set django_language for the default website language /bg/ (if there is no such settings) and also use international urls /en/, /bg/. Also there have to be a language switch option. This way there will be no problem with search engines and I will not use geolocation at all.
Edit: Also there is this problem that here (in Bulgaria) most browsers headers are set to prefer English language which is not a good option :(
Actually it isn't a very good idea overall. You should rarely want to set a language for a client, that's why most sites use an optional language form. (flag buttons or possibly a dropdown select).
The LocaleMiddleware runs down a hierarchical path that most likely will pick the right translation (if available). A proper solution would be to hand your clients a form to set or switch their preference. You could populate the django_language session key if the form is processed.
Also crawlers will not scrape pages properly if forced to a language setting.
I found this, that is very usefull:
Middleware that will force django to use settings.LANGUAGE_CODE for default language and not use equest.META['HTTP_ACCEPT_LANGUAGE']
class ForceDefaultLanguageMiddleware(object):
"""
Ignore Accept-Language HTTP headers
This will force the I18N machinery to always choose settings.LANGUAGE_CODE
as the default initial language, unless another one is set via sessions or cookies
Should be installed *before* any middleware that checks request.META['HTTP_ACCEPT_LANGUAGE'],
namely django.middleware.locale.LocaleMiddleware
"""
def process_request(self, request):
if request.META.has_key('HTTP_ACCEPT_LANGUAGE'):
del request.META['HTTP_ACCEPT_LANGUAGE']
Source: https://gist.github.com/vstoykov/1366794
I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ?
I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ?
Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?
Thanks,
These are the basics:
Do not allow HTML input
Always html encode input when displaying it
Use the AntiXSSLibrary from Microsoft, or a similar library
Check it out: Allowing HTML and Preventing XSS # shiflett.org
After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it
I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct?
I guess I don't really understand when it's safe to use this because of this statement:
This should not be done for POST forms
that target external URLs, since that
would cause the CSRF token to be
leaked, leading to a vulnerability.
The reason it's confusing is that; to me an "external URL" would be page on that isn't part of my domain (ie, I own www.example.com and put a form that posts to www.spamfoo.com. This obviously can't be the case since people wouldn't use Django for generating forms that post to other people's websites, but how could it be true that you can't use CSRF protection on public forms (like a login form)?
With apologies to not understanding the specific source of your confusion, I'll say that the question you should be asking is when NOT to use CSRF protection. You've already called out this case from the docs:
This should not be done for POST forms
that target external URLs, since that
would cause the CSRF token to be
leaked, leading to a vulnerability.
If you are posting a form to your domain, you'll want CSRF protection enabled by default, unless you have a specific reason to disable it (which should be more rare than not).