search

jmrivas86 / django-json-widget

An alternative widget that makes it easy to edit the new Django's field JSONField (PostgreSQL specific model fields)
MIT License
433 stars 88 forks source link

Prevent XSS injection if "</script>" present in data #21

Closed bpartridge closed 4 years ago

bpartridge commented 5 years ago

There's currently a dangerous XSS injection opportunity if any data includes a string including a closing script tag. It will cause the script to be closed early, and any subsequent characters may be injected into the HTML of the admin page, including malicious scripts. escapejs within a string is a better filter to use for this purpose, and we parse the resulting string.

Users may apply a temporary fix in their own codebases with the following:

class PatchedJSONEditorWidget(JSONEditorWidget):
  template_name = 'django_json_widget_patched.html'

And then replace the offending line in django_json_widget_patched.html in your codebase.

jmrivas86 commented 5 years ago

Hello, First of all thank you very much for your collaboration. I am reviewing and accepting the PR I have open. Could you check the conflict in your PR?

Thank you

jmrivas86 commented 4 years ago

I tested this PR and the changes have broken the functionality because the widget content has been lost.