Security advisory: simple_tag does not do auto-escaping

Posted by Luke Plant on June 29, 2015

As per our documentation, the simple_tag decorator used for creating custom template tags does not run auto-escaping on its contents (up to and including Django 1.8). The team has noticed, however, that this makes it very easy to introduce XSS vulnerabilities when using simple_tag, and we have found examples of vulnerable code in the wild.

For this reason, Django 1.9 will change this behavior to improve security. In the mean time, all users are encouraged to check every usage of simple_tag in their own template tags and ensure they are not vulnerable, as per the instructions in the 1.9 release notes.

News & Events

Security advisory: simple_tag does not do auto-escaping

Additional Information

Support Django!

Upcoming Events

Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

RSS Feeds

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us