XSS Vulnerability

Posted by Ross Poulton on Thu 08 June 2006 #geeky #django #programming

A week or so ago I received an e-mail from a nice new zealander, Simon Greenhill, alerting me to a cross-site scripting vulnerability in the comments portion of my blog. The vulnerability will actually probably be of concern to anybody using the comments module from Django - I haven't dug far enough into it as yet to confirm exactly what's at risk.

If you read on, you can see the contents of the e-mail he sent through to me. Basically, the 'name' field from the comments needs to be escaped at the time when the comment preview is displayed. I patched my code some time ago, but now I've got the chance I'm making it public to help everybody else out.

His e-mail said this:

    However - I've noticed one problem - your comment preview form is at risk of XSS. If I enter javascript into the name field ( e.g. <script>alert( 'hi');</script> ), it'll be executed. Easily fixed escaping - change this line:

    <p>Posted by <strong>{{ comment.person_name }}</strong></p>

    to:

    <p>Posted by <strong>{{ comment.person_name|escape|urlizetrunc:"40"|linebreaks }}</strong></p>

    If this isn't caught at the preview form stage, then it's going to affect your comments listing too since, again, comment.person_name isn't escaped.

    The things in comment_form don't seem to be susceptible to this, so I think Django's manipulator's are taking care of the form fields.

So, if you've copied my comments code off this site, it's probably worth making that change for now, until at least Django automatically handles this (to be honest, I thought django.contrib.comments would automatically do this - but I'm sure there's a reason against it) or I can find a 'better' way around it.