Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is autoescape off in django safe?

I want to display some HTML in Django 1.0 templates and to do that I have been doing something like this:

{% autoescape off %}{{ var.text }}{% endautoescape %}

and I am just wondering how safe this is? Am I still protected against SQL injection and cross-site scripting and other vulnerabilities like that?

Update:

This text will be coming from users, so what is the best way to display HTML in a Django template safely?

like image 517
Joe Avatar asked Sep 11 '09 20:09

Joe


1 Answers

The autoescape would be a protection against cross site scripting, not sql injection (which you need to make sure your inputs are scrubbed). Turning autoescape off would mean you trust what is in "text", wherever it came from, not to be malicious, (ie, it should be impossible for a user to create or modify what is in text). If that assumption is valid, then you are safe against cross site scripting, otherwise, that is a security hole.

like image 133
Todd Gardner Avatar answered Sep 18 '22 19:09

Todd Gardner