Closed ch4n3-yoon closed 3 weeks ago
tomchristie
commented
3 weeks ago @browniebroke Let's prioritise getting this sorted, rather than waiting on a test case.
I'd marginally prefer #9438 over this, since the line break isn't actually required however we should just go with whatever gets this resolved as quickly as possible at this point.
ch4n3-yoon
commented
3 weeks ago I've identified a potential XSS vulnerability related to the break_long_headers template filter used in the rest_framework/base.html template file by APIView. This file employs the break_long_headers template filter, making the following code vulnerable to XSS attacks due to unsanitized user input:
# views.py
from rest_framework.views import APIView
from rest_framework.response import Response
class Index(APIView):
def get(self, request):
username = request.GET.get('username', '')
response = Response('OK')
response['Location'] = f'https://x.com/{username}'
return response
# urls.py
from django.urls import path
urlpatterns = [ path('api/', Index.as_view()), ]I believe it is essential to register this issue as a CVE to ensure that users of earlier versions of DRF are aware and can manage this vulnerability appropriately. Your thoughts on this?
Description
The header input is now properly escaped before splitting and joining with
<br>tags. This prevents potential XSS attacks if the header contains unsanitized user input.This pull request addresses a potential XSS vulnerability in the
break_long_headerstemplate filter. By escaping the header input before processing, the risk of XSS attacks is mitigated.