Usage of mark_safe

• Rule ID: python_django_mark_safe
• Languages: python
• Source: mark_safe.yml

Description

The Django utils method mark_safe is used to mark a string as "safe" for output as HTML, but it does not escape special characters like ampersands or quotes, and therefore could expose your application to XSS attacks if an external string is passed to it.

Remediations

• Do not use mark_safe wherever possible
• Do use format_html instead to build up HTML fragments. This is more appropriate because it applies escaping to its arguments by default.

  from django.utils.html import format_html
  
  format_html("{} <b>{}</b> {}", mark_safe(some_html), some text)

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_mark_safe

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_mark_safe