search

jmrivas86 / django-json-widget

An alternative widget that makes it easy to edit the new Django's field JSONField (PostgreSQL specific model fields)
MIT License
440 stars 88 forks source link

Avoid HTML injection via unsafe JSON injection #64

Closed ashokdelphia closed 1 year ago

ashokdelphia commented 2 years ago

This change follows the Django docs' suggested approach for safely setting a JSON literal in a template: https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#json-script.

In the old code, if a string literal within the JSON included '', then that would be interpreted by the browser as closing the script tag, and thus allow arbitrary HTML to then be injected into the page. This is especially dangerous if the JSON for the widget can include user content, and if the widget is being used within the Django admin interface.

Users who would like to patch this locally, before this fix is merged/released can follow the approach in #21 and derive a patched widget like so:

class PatchedJSONEditorWidget(JSONEditorWidget):
    template_name = 'django_json_widget_patched.html'

    def format_value(self, value):
        return json.loads(value)

And copy django_json_widget/templates/django_json_widget.html from this branch to templates/django_json_widget_patched.html in their own app.

Fixes jmrivas86/django-json-widget#62.

Note that to merge this safely, we'd need to drop support for at least Django < 2.1, which has been out of extended support since April 2019. 2.2 LTS also goes out of extended support in April; I wonder if it would be worthwhile to align with Django's supported versions, to simplify fixing bugs like this. I've proposed a change in #65 to stop declaring support for < 2.2, which ideally would merge before/with this change.

ashokdelphia commented 2 years ago

I just noticed that json_script was only introduced in Django 2.1, so this fix isn't suitable for older Django versions.

Would it be reasonable to drop support for earlier Django versions? (Django 2.1 is almost 3 years old.)

StevenMapes commented 1 year ago

I say yes, support for anything other than 3.2, 4.0 and 4.1 should be considered unsupported now.. 4.0 goes EOL in under 3 months and 4.2 should have it's initial alpha release this month so it'd be nice to have the PRs merged and cleaned up as personally I'm close to removing using this project due to it soon become a blocker

ashokdelphia commented 1 year ago

Is there anything I can do to help move this and #65 forward?

StevenMapes commented 1 year ago

I messaged José on Twitter and he's going to look to update the project next month as he's really busy at the moment it seems, so hopefully before the end of June there'll be an updated release on pypi with this update as well as the other three PRs that have come in at the very least :)

bpartridge commented 1 year ago

OP here from the old #21 - thanks so much for reviving this! Any progress on this so far?