Update django docs, add unit-test for XSS without escaping

gofiber · Jan 11, 2024 · f02c83a · f02c83a
1 parent 3e00a49
commit f02c83a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/django/README.md b/django/README.md
@@ -59,9 +59,9 @@ func main() {
 	// Create a new engine
 	engine := django.New("./views", ".django")
 
-  // Or from an embedded system
-  // See github.com/gofiber/embed for examples
-  // engine := html.NewFileSystem(http.Dir("./views", ".django"))
+	// Or from an embedded system
+	// See github.com/gofiber/embed for examples
+	// engine := html.NewFileSystem(http.Dir("./views", ".django"))
 
 	// Pass the engine to the Views
 	app := fiber.New(fiber.Config{
@@ -194,4 +194,23 @@ If you need to access a value in the template that doesn't adhere to the key nam
 c.Render("index", fiber.Map{
     "Fiber": "Hello, World!\n\nGreetings from Fiber Team",
     "MyKey": c.Locals("my-key"),
-})
+})
+
+### AutoEscape is enabled by default
+
+When you create a new instance of the `Engine`, the auto-escape is **enabled by default**. This setting automatically escapes output, providing a critical security measure against Cross-Site Scripting (XSS) attacks.
+
+### Disabling Auto-Escape
+
+Auto-escaping can be disabled if necessary, using the `SetAutoEscape` method:
+
+```go
+engine := django.New("./views", ".django")
+engine.SetAutoEscape(false)
+```
+
+### Security Implications of Disabling Auto-Escape
+
+Disabling auto-escape should be approached with caution. It can expose your application to XSS attacks, where malicious scripts are injected into web pages. Without auto-escaping, there is a risk of rendering harmful HTML or JavaScript from user-supplied data.
+
+It is advisable to keep auto-escape enabled unless there is a strong reason to disable it. If you do disable it, ensure all user-supplied content is thoroughly sanitized and validated to avoid XSS vulnerabilities.
diff --git a/django/django_test.go b/django/django_test.go
@@ -326,6 +326,22 @@ func Test_XSS(t *testing.T) {
 	require.Equal(t, expect, result)
 }
 
+func Test_XSS_WithAutoEscapeDisabled(t *testing.T) {
+    engine := New("./views", ".django")
+    engine.SetAutoEscape(false)
+    require.NoError(t, engine.Load())
+
+    var buf bytes.Buffer
+    err := engine.Render(&buf, "index", map[string]interface{}{
+        "Title": "<script>alert('XSS')</script>",
+    }, "layouts/main")
+    require.NoError(t, err)
+
+    expect := `<!DOCTYPE html><html><head><title>Main</title></head><body><h2>Header</h2><h1><script>alert('XSS')</script></h1><h2>Footer</h2></body></html>`
+    result := trim(buf.String())
+    require.Equal(t, expect, result)
+}
+
 func Benchmark_Django(b *testing.B) {
 	expectSimple := `<h1>Hello, World!</h1>`
 	expectExtended := `<!DOCTYPE html><html><head><title>Main</title></head><body><h2>Header</h2><h1>Hello, Admin!</h1><h2>Footer</h2></body></html>`