Backend XSS Protection for Description

[crypto-rizzo]

I noticed (missed) the addition of dompurify on the frontend checkout app. This does not seem very robust to me. Most notably, it looks like we take the entirety of input from quill editor and mark_safe.

We should look at the latest for XSS security for django and implement on the backend.

https://docs.djangoproject.com/en/4.1/topics/security/

[halfmoonui]

I'm fairly certain that this comes with built-in security. For example, the config on settings.py looks like this:

QUILL_CONFIGS = {
    "default": {
        "theme": "snow",
        "modules": {
            "syntax": True,
            "toolbar": [
                [
                    {"align": []},
                    "bold",
                    "italic",
                    "underline",
                    "strike",
                ],
                ["link"],
            ]
        }
    }
}

If you try adding an HTML element that's not in this config, example, <button>Button</button>, the string gets stored in the database after it is made safe - <button>Button</button>. So when this is rendered by the frontend, an actual button does not get rendered, just a string. I tested with this example on local, and also made sure to check if you can use inspect element to bypass (you can't). @crypto-rizzo

[crypto-rizzo]

👍 👍 looks like you're right on this one

Go ahead and close this one for now, but back to my original point - I wonder if we need that dompurify package on the frontend then, if things are already sanitized on the backend?