Django XSS detection rule

[ehooo]

Summary

The rule B308 only detect the function mark_safe ( According to Django security ), whoever, XSS you could "mark safe" a strings with SafeText, SafeUnicode, SafeString and SafeBytes.

Steps to reproduce the behavior

from django.utils import safestring

safestring.SafeText('<b>Hello World</b>')
safestring.SafeUnicode('<b>Hello World</b>')
safestring.SafeString('<b>Hello World</b>')
safestring.SafeBytes('<b>Hello World</b>')

Expected behavior

Detect the escape functions

Actual behavior

B308 do not detect this functions

[ehooo]

Could someone tell me what thinking about removing the rule B308 ?

[ehooo]

@lukehinds @ericwb what do you think about remove B308?

[ehooo]

Hi again @lukehinds and @ericwb any new about B308? if you don't want remove this rule this issue could be closed

[lukehinds]

@ehooo let me verify I understand correctly, mark_safe is now covered in B703 (with more scope to capture other safe markers), and so we can remove B308? I think as B703 has merged, it makes sense, but we also need to make sure we don't break any jobs or scripts that users may have that specifically make calls to B308.

[ehooo]

Hi @lukehinds yes B703 cover B308 and more, so now Bandit duplicated hits.
If you prefer I could remove the function cover by B308 on B703.

[ericwb]

Fixed with #295