-
-
Notifications
You must be signed in to change notification settings - Fork 625
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Django XSS detection rule #294
Comments
Could someone tell me what thinking about removing the rule B308 ? |
@lukehinds @ericwb what do you think about remove B308? |
Hi again @lukehinds and @ericwb any new about B308? if you don't want remove this rule this issue could be closed |
@ehooo let me verify I understand correctly, mark_safe is now covered in B703 (with more scope to capture other safe markers), and so we can remove B308? I think as B703 has merged, it makes sense, but we also need to make sure we don't break any jobs or scripts that users may have that specifically make calls to B308. |
Hi @lukehinds yes B703 cover B308 and more, so now Bandit duplicated hits. |
Fixed with #295 |
Summary
The rule B308 only detect the function mark_safe ( According to Django security ), whoever, XSS you could "mark safe" a strings with SafeText, SafeUnicode, SafeString and SafeBytes.
Steps to reproduce the behavior
Expected behavior
Detect the escape functions
Actual behavior
B308 do not detect this functions
The text was updated successfully, but these errors were encountered: