GrepRules
Sign inPublish rule
Explore/cve-2024-23341-django-format-html-bypass

CVE-2024-23341: Django Format Html Bypass

Calling `format_html` with a single dynamic variable or an inplace formatted string (e.g. f-string, `.format()`, `%`) bypasses Django's XSS escaping. `format_html` must be called with a template block as the first argument, followed by variables to automatically safely escape. For example, use `format_html("<tag>{}</tag>", user_input)` instead of `format_htm

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0Python
greprules fetch cve-2024-23341-django-format-html-bypass --engine opengrep

Description

Calling `format_html` with a single dynamic variable or an inplace formatted string (e.g. f-string, `.format()`, `%`) bypasses Django's XSS escaping. `format_html` must be called with a template block as the first argument, followed by variables to automatically safely escape. For example, use `format_html("<tag>{}</tag>", user_input)` instead of `format_htm

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs