mark_safe detected BAN-B3081731 @property
1732 def totp_svg(self):
1733 image = qrcode.make(self.totp_url, image_factory=qrcode.image.svg.SvgPathImage)
1734 return mark_safe(image.to_string(encoding="unicode")) # noqa: S3081735
1736 def get_context_data(self, **kwargs):
1737 """Create context for rendering page.""" 284 name,
285 format_html(
286 'data-value="{}" tabindex="-1"',
287 mark_safe( # noqa: S308 288 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 289 ), 290 ),
291 char,
292 ) 263 GROUP_TEMPLATE,
264 [
265 (
266 mark_safe('data-toggle="buttons"'), # noqa: S308 267 rtl_switch,
268 )
269 ], # Only one group. 245 gettext("Toggle text direction"),
246 rtl_name,
247 "rtl",
248 mark_safe('checked="checked"'), # noqa: S308 249 "RTL",
250 ),
251 ( 212 name,
213 format_html(
214 'data-value="{}"',
215 mark_safe( # noqa: S308 216 value.encode("ascii", "xmlcharrefreplace").decode("ascii") 217 ), 218 ),
219 char,
220 )Use of mark_safe() may expose cross-site scripting (XSS) vulnerabilities and should be reviewed.
mark_safe explicitly marks a string as safe for (HTML) output purposes.
Django auto-escapes all output from template variable tags unless explicitly told not to. Use of mark_safe() function implies that the parameter is safe for client-side output without Django's automatic string escaping. It's a legitimate way of defining strings that are intended to be interpreted as HTML.
Using mark_safe() on an internally generated string is okay but becomes a security risk if used on unchecked user input.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to attention. Please make sure that the input string is trusted. If the occurrences don't seem to be valid, please feel free to ignore them.
When possible, use formathtml. It is safe as all arguments are passed through conditionalescape()
Bad practice
mark_safe("<b>%s</b> %s" % (user_input))
Recommended
format_html("<b>%s</b>, user_input)