|
|
@ -38,7 +38,7 @@ either double or single quotes when using Jinja expressions in them: |
|
|
|
|
|
|
|
|
|
|
|
.. sourcecode:: html+jinja |
|
|
|
.. sourcecode:: html+jinja |
|
|
|
|
|
|
|
|
|
|
|
<a href="{{ href }}">the text</a> |
|
|
|
<input value="{{ value }}"> |
|
|
|
|
|
|
|
|
|
|
|
Why is this necessary? Because if you would not be doing that, an |
|
|
|
Why is this necessary? Because if you would not be doing that, an |
|
|
|
attacker could easily inject custom JavaScript handlers. For example an |
|
|
|
attacker could easily inject custom JavaScript handlers. For example an |
|
|
@ -48,13 +48,24 @@ attacker could inject this piece of HTML+JavaScript: |
|
|
|
|
|
|
|
|
|
|
|
onmouseover=alert(document.cookie) |
|
|
|
onmouseover=alert(document.cookie) |
|
|
|
|
|
|
|
|
|
|
|
When the user would then move with the mouse over the link, the cookie |
|
|
|
When the user would then move with the mouse over the input, the cookie |
|
|
|
would be presented to the user in an alert window. But instead of showing |
|
|
|
would be presented to the user in an alert window. But instead of showing |
|
|
|
the cookie to the user, a good attacker might also execute any other |
|
|
|
the cookie to the user, a good attacker might also execute any other |
|
|
|
JavaScript code. In combination with CSS injections the attacker might |
|
|
|
JavaScript code. In combination with CSS injections the attacker might |
|
|
|
even make the element fill out the entire page so that the user would |
|
|
|
even make the element fill out the entire page so that the user would |
|
|
|
just have to have the mouse anywhere on the page to trigger the attack. |
|
|
|
just have to have the mouse anywhere on the page to trigger the attack. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There is one class of XSS issues that Jinja's escaping does not protect |
|
|
|
|
|
|
|
against. The ``a`` tag's ``href`` attribute can contain a `javascript:` URI, |
|
|
|
|
|
|
|
which the browser will execute when clicked if not secured properly. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. sourcecode:: html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="{{ value }}">click here</a> |
|
|
|
|
|
|
|
<a href="javascript:alert('unsafe');">click here</a> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To prevent this, you'll need to set the :ref:`security-csp` response header. |
|
|
|
|
|
|
|
|
|
|
|
Cross-Site Request Forgery (CSRF) |
|
|
|
Cross-Site Request Forgery (CSRF) |
|
|
|
--------------------------------- |
|
|
|
--------------------------------- |
|
|
|
|
|
|
|
|
|
|
@ -125,6 +136,8 @@ man-in-the-middle (MITM) attacks. :: |
|
|
|
|
|
|
|
|
|
|
|
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security |
|
|
|
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. _security-csp: |
|
|
|
|
|
|
|
|
|
|
|
Content Security Policy (CSP) |
|
|
|
Content Security Policy (CSP) |
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
|
|
|
|
|
|
|
|
|
@ -132,7 +145,7 @@ Tell the browser where it can load various types of resource from. This header |
|
|
|
should be used whenever possible, but requires some work to define the correct |
|
|
|
should be used whenever possible, but requires some work to define the correct |
|
|
|
policy for your site. A very strict policy would be:: |
|
|
|
policy for your site. A very strict policy would be:: |
|
|
|
|
|
|
|
|
|
|
|
response.headers['Content-Security-Policy'] = "default-src: 'self'" |
|
|
|
response.headers['Content-Security-Policy'] = "default-src 'self'" |
|
|
|
|
|
|
|
|
|
|
|
- https://csp.withgoogle.com/docs/index.html |
|
|
|
- https://csp.withgoogle.com/docs/index.html |
|
|
|
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
|
|
|
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
|
|
|