Usage of html magic method

Rule ID: python_django_html_magic_method
Languages: python
Source: html_magic_method.yml

Description

The Django template engine considers values returned by the __html__ method as "safe" for rendering and therefore no HTML escaping is applied (escaping special characters like ampersands or quotes). Using this method exposes your application to Cross-Site Scripting (XSS) vulnerabilities.

Remediations

Do not use the __html__ magic method
Do use format_html instead to build up HTML fragments. This is more appropriate because it applies escaping to its arguments by default.
```
from django.utils.html import format_html

format_html("{} <b>{}</b> {}", mark_safe(some_html), some text)
```

Associated CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_html_magic_method

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_html_magic_method

Usage of __html__ magic method