replace bleach with nh3 for HTML sanitization #14442

DryRun Security

Cross-Site Scripting Analyzer Findings: 1 detected

⚠️ Potential Cross-Site Scripting dojo/templatetags/display_tags.py (click for details)

Type

Potential Cross-Site Scripting

Description

The code calls mark_safe on content cleaned by nh3.clean and then renders it. mark_safe disables Django's automatic escaping; if nh3.clean's allowlist (_NH3_ALLOWED_TAGS / _NH3_ALLOWED_ATTRIBUTES) permits attributes or tag combinations that can be abused (e.g., javascript: URIs in href, data URIs, or any on* event handlers) or if nh3.clean does not strip dangerous protocols/attributes, user-controlled input can reach the rendered HTML sink as unescaped markup and lead to XSS. The patch defines a relatively small allowed tag/attribute set, but there is no evidence in the patch that nh3.clean enforces safe URL schemes or strips dangerous attributes; the usage of nh3.clean + mark_safe is therefore risky and confirms a potential XSS path.

Filename

dojo/templatetags/display_tags.py

CodeLink

django-DefectDojo/dojo/templatetags/display_tags.py

Lines 103 to 106 in 3d669fe

    
               return mark_safe(nh3.clean(message, tags=_NH3_ALLOWED_TAGS, attributes=_NH3_ALLOWED_ATTRIBUTES)) 
        
           def text_shortener(value, length):

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

replace bleach with nh3 for HTML sanitization #14442

Uh oh!

Uh oh!

replace bleach with nh3 for HTML sanitization #14442

Uh oh!

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 1 detected

Re-running checks...

replace bleach with nh3 for HTML sanitization #14442

Are you sure you want to change the base?

Uh oh!

Merge branch 'dev' into bleach-to-nh3

Uh oh!

replace bleach with nh3 for HTML sanitization #14442

Uh oh!

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 1 detected

Re-running checks...