Skip to content

Closes #22657: escape exception message in render_widget before mark_safe#22658

Merged
jnovinger merged 1 commit into
mainfrom
22657-render-widget-xss
Jul 10, 2026
Merged

Closes #22657: escape exception message in render_widget before mark_safe#22658
jnovinger merged 1 commit into
mainfrom
22657-render-widget-xss

Conversation

@bctiemann

@bctiemann bctiemann commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Closes: #22657

Summary

render_widget in extras/templatetags/dashboard.py caught widget rendering exceptions and interpolated str(e) directly into a mark_safe-wrapped HTML string. If the exception message contained HTML (e.g. from an attacker-influenced URL or external API response included in a widget), that markup would execute in the user's browser.

Fix

Wrap the exception value with escape() before interpolation:

# before
<p class="font-monospace ps-3">{e}</p>

# after
<p class="font-monospace ps-3">{escape(e)}</p>

The two translated strings (message1, message2) are static literals and require no escaping.

Tests

RenderWidgetTemplateTagTestCase in extras/tests/test_dashboard.py — two cases:

  • <script>alert(1)</script> in the exception message → &lt;script&gt; in output, no raw <script> tag
  • <bad> in the exception message → &lt;bad&gt; in output

…safe

str(e) was interpolated directly into the mark_safe-wrapped error HTML,
allowing attacker-influenced exception text to inject markup into the
dashboard. Fix: wrap the interpolated value with escape() so HTML special
characters are rendered as literals.

Add RenderWidgetTemplateTagTestCase covering both script-injection and
angle-bracket cases to pin the escaping behavior.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bctiemann bctiemann requested review from a team and jnovinger and removed request for a team July 9, 2026 18:48
@jnovinger jnovinger merged commit 6ec7940 into main Jul 10, 2026
12 checks passed
@jnovinger jnovinger deleted the 22657-render-widget-xss branch July 10, 2026 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

render_widget template tag interpolates raw exception message into mark_safe HTML

2 participants