Opened 3 years ago
Closed 3 years ago
#33523 closed Bug (invalid)
remove dangerous text from translated message about csrf error
| Reported by: | Maxim Danilov | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 4.0 |
| Severity: | Normal | Keywords: | csrf error message |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
in django\views\csrf.py function csrf_failure defined error dictionary "c" (error_name: error_description)
item with key 'no_referer3' has text:
'If you are using the <meta name="referrer" content=\"no-referrer\"> tag or including the “Referrer-Policy: no-referrer” header, please remove them. The CSRF protection requires the “Referer” header to do strict referer checking. If you’re concerned about privacy, use alternatives like <a rel=\"noreferrer\" …> for links to third-party sites.'
If i put this message simply in <html><head><title> {{ c.no_referer3 }} </title>, it break browser work.
The browsers takes <meta name="referrer" content=\"no-referrer\"> as normal meta. (chrome and Firefox)
This text "from box" has not escaped symbols and therefore it is dangerous. Of course, I can change it with translations.
Thanks for this report, however I cannot imagine how that could be dangerous 🤔. As far as I understand correctly, you have a custom template for CSRF failure and you put
no_referer3in the<head>HTML tag, even so it's not marked as safe and will not be interpreted by a browser.