Developing web applications often involves passing dynamic data to templates for rendering. This data may come from a database or other sources. When the data contains HTML, rendering it directly in templates can lead to security issues like cross-site scripting (XSS). To display HTML from template data safely, you need to escape or sanitize the output. In this post, we’ll explore some ways to handle rendering template variables containing HTML.
The Dangers of Rendering Unescaped HTML
First, let’s understand why rendering raw HTML from templates can be dangerous. Web applications often display user-generated content, which may contain malicious code. Outputting such code unmodified allows attackers to inject scripts into your site. For instance, consider a blogging app that displays blog titles and content on pages. If a blog title contains a <script> tag, it will execute on your site!
Attackers can craft malicious HTML that performs actions like:
- Stealing user session cookies
- Redirecting to phishing pages
- Inserting hidden iframes for clickjacking
Clearly, rendering raw template data as HTML allows XSS attacks. So how do we display HTML from templates safely?
Escaping HTML Before Output
The most straightforward approach is to escape any HTML in the data before outputting it. In Python with the Jinja template engine, this is done using the |safe filter For example:
{{ user_input | safe }}This converts all <, >, etc. to HTML entities like < So <script> tags get harmlessly displayed as text rather than executed.
Escaping works well if the template data only requires basic text formatting like bold, italics, etc. However, sometimes you need to allow some HTML tags for complex formatting while blocking dangerous tags.
Allowing Specific Tags with a Whitelist
For cases where you want to allow some HTML, use a library like Bleach in Python to whitelist specific tags:
import bleach bleach.clean(user_input, tags=['b', 'em', 'i'])This removes all tags except <b>, <em> and <i>. You can customize the whitelist to allow other benign formatting tags.
The downside is this requires manually maintaining a whitelist of allowed tags. So it doesn’t scale well if you need to permit a lot of HTML.
Sanitizing with a DOM Purifier
A more robust approach is to use a DOM purifier library like DOMPurify in JavaScript. With it, you can:
- Allow a wide range of HTML tags
- Strip out unwanted CSS classes and attributes
- Disable dangerous features like JavaScript
For example:
const clean = DOMPurify.sanitize(user_input, { ALLOWED_TAGS: [...]});This gives you fine-grained control over the HTML, allowing most safe tags while filtering out unsafe attributes.
Sandboxing HTML in an iframe
For cases where you need to render complex untrusted HTML, sandboxing it in an iframe is an option. This prevents the HTML from interacting with your site due to iframe isolation.
For example:
<iframe srcdoc={{ user_input | safe }} />This renders the HTML in a separate nested browsing context. Limitations are that styling and interactivity will be broken.
Choosing the Right Approach
When outputting template data as HTML:
- Escape for basic text formatting needs
- Whitelist for moderate HTML requirements
- Sanitize for broader HTML capabilities
- Sandbox in iframes for maximum isolation
Understand your specific use case to pick the most secure and appropriate option.
Conclusion
Rendering untrusted template variables directly risks XSS issues on your site. By properly escaping, sanitizing or isolating the output HTML you can balance usability and security needs. Defense in depth by combining techniques is the best approach for Django Projects.
With some care when outputting dynamic data, you can build robust web apps that minimize attack surfaces for malicious users.
