5👍
✅
You need to escape the HTML you’re outputting in the JSON object. Normally Django would have done that for you in a regular response, but seeing as you’re encapsulating it in JSON, it’s not that straight-forward.
Use the escape function, as described in this question, before you encode JSON, as follows:
from django.utils.html import escape
# ...
res['title'] = escape(form.cleaned_data['title'])
res['body'] = escape(form.cleaned_data['body'])
res = json.dumps(res)
2👍
There is very basic way to solve any kind of XSS related to form, whenever you submitt it just validate for special characters like < > ( ) + etc. or try to escape the XSS characters . More details here
👤pkm
- [Django]-Custom authentication with django?
- [Django]-IntegrityError at /***/ (1048, "Column '***' cannot be null") in python django
- [Django]-Django Foreign Keys Breaking with Multi-Table Inheritance
- [Django]-Django Meta ordering in related query
Source:stackexchange.com