Insecure use of
format_html detected PY-S0901Insecure use of 'format_html()' function
915
916 def get_plural_label(self, idx):
917 """Return label for plural form."""
918 return format_html( 919 PLURAL_TITLE,
920 name=self.get_plural_name(idx),
921 examples=", ".join(self.examples.get(idx, [])),Insecure use of 'format_html()' function
103 if only:
104 return params[only]
105
106 return format_html(SOCIAL_TEMPLATE, separator=separator, **params)107
108
109def get_auth_name(auth: str):Insecure use of 'format_html()' function
98
99 if not params["image"].startswith("http"):
100 params["image"] = staticfiles_storage.url("auth/" + params["image"])
101 params["icon"] = format_html(IMAGE_SOCIAL_TEMPLATE, separator=separator, **params)102
103 if only:
104 return params[only]Insecure use of 'format_html()' function
148 for language in data:
149 name, translators = language.popitem()
150 language_outputs.append(
151 format_html_or_plain(152 language_format,
153 language=name,
154 translators=format_html_or_plain_join(Insecure use of 'format_html()' function
46 for key, value in kwargs.items()
47 }
48 if safe_kwargs:
49 return format_html(escape(format_string), **safe_kwargs) 50 return mark_safe(escape(format_string)) # noqa: S308
51
52
Description
Django's format_html() function can be used to safely insert untrusted user data into HTML.
However, passing an already formatting string to format_html() has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.
Bad practice
format_html(f"<b>{user_input}</b>") # `user_input` is not being sanitized!
Recommended
format_html("<b>{}</b>", user_input) # This can safely be used.
References:
format_html- OWASP Top 10 2021 Category A03 - Injection
- CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')