% Rendering into JavaScript

severity: 4
type: antipattern
tags: []
layers: [templates, views]
related_packages: []

Often one wants to pass some data to JavaScript and to do that one renders into JavaScript using Django. for example:

<body>
Body Content
<script>
    let a = {{ var_1 }};
    let b = "{{ var_2|safe }}";
</script>
<script>
    let c = {{ var_3|safe }};
</script>
</body>

Why is it a problem?

This is very unsafe and it makes one vulnerable to XSS attacks. Let us consider that the values of the variables rendered above are provided from the user. For demonstration purposes below is some view code with these variables set to such values that each of them will cause an alert:

import json


def test_xss(request):
    context = {
        'var_1': 'alert(1)',
        'var_2': '";\nalert(2);\n"',
        'var_3': json.dumps('</script><script>alert(3);</script><script>')
    }
    return render(request, 'test.html', context)

This snippet might not cause much damage, but it can be much more dangerous. It can also be seen that even using json.dumps is not very safe here.

What can be done to resolve the problem?

Don't render from Django into JavaScript, instead use the json_script template filter [Django-doc] and parse it's results using JSON.parse:

<body>
Body Content
{{ var_1|json_script:"var-1-json" }}
{{ var_2|json_script:"var-2-json" }}
{{ var_3|json_script:"var-3-json" }}
<script>
    let a = JSON.parse(document.getElementById('var-1-json').textContent);;
    let b = JSON.parse(document.getElementById('var-2-json').textContent);;
</script>
<script>
    let c = JSON.parse(document.getElementById('var-3-json').textContent);;
</script>
</body>

% Using regular html comment instead of Django template comment.

author: Alex Deathway
severity: 1
type: antipattern
typefa: "fas fa-ban"
tags: [templates]
layers:templates, app_name/template/app_name/
related_packages: []
solinks: []

Why is it a problem?

Using regular comments in templates causes django to render comments with html,which may be intended for developers only.

< !-- exclude dashboard for
-not authenticated users
-users with not enough privilege
-->

{% comment %}
	  exclude dashboard for 
		  -unauthenticated users
		  -users with not enough privileges 
{% endcomment %}

What can be done to resolve the problem?

Using comment block

for single line:

{# your comment here  #}

for multi line:

{% comment %}
	your 
	multiline 
	comment 
	here
{% endcomment %}

Can you provide a documentation to describe how to run this project on local machine? I want to add some frontend fixes If I can run.

I found (also after digging a lot of SO posts) that the (commit=false) is in fact "suggested" by the official django docs

https://docs.djangoproject.com/en/dev/topics/forms/modelforms/#the-save-method:~:text=%3E%3E%3E%20new_author%20%3D%20f.save(commit%3DFalse)

Would be the case to expand a little bit the use case you inserted in the flow?

thank you!