From f02c83a5f0983d5cb55580532f0cc5d468539c95 Mon Sep 17 00:00:00 2001
From: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Date: Wed, 10 Jan 2024 23:17:19 -0500
Subject: [PATCH] Update django docs, add unit-test for XSS without escaping
---
django/README.md | 27 +++++++++++++++++++++++----
django/django_test.go | 16 ++++++++++++++++
2 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/django/README.md b/django/README.md
index ce7799d..eab51e9 100644
--- a/django/README.md
+++ b/django/README.md
@@ -59,9 +59,9 @@ func main() {
// Create a new engine
engine := django.New("./views", ".django")
- // Or from an embedded system
- // See github.com/gofiber/embed for examples
- // engine := html.NewFileSystem(http.Dir("./views", ".django"))
+ // Or from an embedded system
+ // See github.com/gofiber/embed for examples
+ // engine := html.NewFileSystem(http.Dir("./views", ".django"))
// Pass the engine to the Views
app := fiber.New(fiber.Config{
@@ -194,4 +194,23 @@ If you need to access a value in the template that doesn't adhere to the key nam
c.Render("index", fiber.Map{
"Fiber": "Hello, World!\n\nGreetings from Fiber Team",
"MyKey": c.Locals("my-key"),
-})
\ No newline at end of file
+})
+
+### AutoEscape is enabled by default
+
+When you create a new instance of the `Engine`, the auto-escape is **enabled by default**. This setting automatically escapes output, providing a critical security measure against Cross-Site Scripting (XSS) attacks.
+
+### Disabling Auto-Escape
+
+Auto-escaping can be disabled if necessary, using the `SetAutoEscape` method:
+
+```go
+engine := django.New("./views", ".django")
+engine.SetAutoEscape(false)
+```
+
+### Security Implications of Disabling Auto-Escape
+
+Disabling auto-escape should be approached with caution. It can expose your application to XSS attacks, where malicious scripts are injected into web pages. Without auto-escaping, there is a risk of rendering harmful HTML or JavaScript from user-supplied data.
+
+It is advisable to keep auto-escape enabled unless there is a strong reason to disable it. If you do disable it, ensure all user-supplied content is thoroughly sanitized and validated to avoid XSS vulnerabilities.
diff --git a/django/django_test.go b/django/django_test.go
index a586a5f..91cac79 100644
--- a/django/django_test.go
+++ b/django/django_test.go
@@ -326,6 +326,22 @@ func Test_XSS(t *testing.T) {
require.Equal(t, expect, result)
}
+func Test_XSS_WithAutoEscapeDisabled(t *testing.T) {
+ engine := New("./views", ".django")
+ engine.SetAutoEscape(false)
+ require.NoError(t, engine.Load())
+
+ var buf bytes.Buffer
+ err := engine.Render(&buf, "index", map[string]interface{}{
+ "Title": "",
+ }, "layouts/main")
+ require.NoError(t, err)
+
+ expect := `MainHeader
Footer
`
+ result := trim(buf.String())
+ require.Equal(t, expect, result)
+}
+
func Benchmark_Django(b *testing.B) {
expectSimple := `Hello, World!
`
expectExtended := `MainHeader
Hello, Admin!
Footer
`