Django: Extra HTML Attribute Escaped Recommended by OWASP
Django avoids these: characters & < > " '
, which is enough to insert data into HTML elements. However, if you want to set untrusted data in attributes, OWASP recommends avoiding a lot more characters:
Except for alphanumeric characters, avoid all characters by using ASCII values ββless than 256 with & # xHH; format (or named object, if available) to prevent the attribute from being disabled.
The reason is that it is very easy to skip a quote on an attribute, and unquoted attributes can be split into many characters, including [space] % * + , - / ; < = > ^ and |
Is there a built-in function or library for this?
PS Another blog post worth reading explains why a broader evacuation function is required in some contexts .: http://wonko.com/post/html-escaping
source to share
There are no built-in functions for this in Django. I don't know any libraries.
The built-in secure HTML filter accelerates both attribute and non-attribute payload, so additional filtering functionality for attributes only might be needed.
You can suggest this by opening a Django feature request in the Django tracker .
I'm not sure if the existing inline filter can be changed. I would suggest that adding this functionality to Django's built-in filters could result in many legacy applications exiting. I'm not an expert here, so I suggest you discuss this with the Django authors. The operational risk is quite small, weighed against the potential headache of breaking existing Django applications, so I'm not sure how the behavior changes will be obtained.
On the other hand, if you need to remember how to write a filter for each attribute variable, you can also just close the quotes. I think this method is more useful in frameworks that do not treat templates as normal text.
In the meantime, you can also try Monkey Disarming Django's Filter Functions to perform additional escaping by writing your own filter replacement.
source to share