|
|
@@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
|
|
|
|
|
|
.. highlightlang:: html+django
|
|
|
|
|
|
-XSS attacks allow a user to inject client side scripts into the
|
|
|
-browsers of other users. This is usually achieved by storing the malicious
|
|
|
-scripts to the database where it will be retrieved and displayed to other users
|
|
|
-or to get users to click a link containing variables containing scripts that
|
|
|
-will be rendered by the user's browser. However, XSS attacks can originate
|
|
|
-from any untrusted source of data such as cookies or web services.
|
|
|
+XSS attacks allow a user to inject client side scripts into the browsers of
|
|
|
+other users. This is usually achieved by storing the malicious scripts in the
|
|
|
+database where it will be retrieved and displayed to other users, or by getting
|
|
|
+users to click a link which will cause the attacker's javascript to be executred
|
|
|
+by the user's browser. However, XSS attacks can originate from any untrusted
|
|
|
+source of data, such as cookies or web services, whenever the data is not
|
|
|
+sufficiently sanitized before including in a page.
|
|
|
|
|
|
Using Django templates protects you against the majority of XSS attacks.
|
|
|
However, it is important to understand what protections it provides
|
|
|
@@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
|
|
|
than HTML, there may be entirely separate characters and words which require
|
|
|
escaping.
|
|
|
|
|
|
-You should also be very careful when storing HTML to the database especially
|
|
|
-when that HTML will be retrieved and displayed.
|
|
|
+You should also be very careful when storing HTML in the database, especially
|
|
|
+when that HTML is retrieved and displayed.
|
|
|
|
|
|
Cross site request forgery (CSRF) protection
|
|
|
============================================
|
Luke Plant