Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oh, I Found a Security Issue (DjangoCPH 2018)

Oh, I Found a Security Issue (DjangoCPH 2018)

An extended version of my PyCon CA 2017 talk, mixed with a shortened version of my DjangoCon AU 2017 talk.

Markus H

March 17, 2018

More Decks by Markus H

Other Decks in Programming


  1. I’m Markus Holtermann @m_holtermann • github.com/MarkusH • markusholtermann.eu @laterpay •

    laterpay.net • Django Core Developer • Software Engineer at
  2. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT) From: Tim

    Graham <*****@gmail.com> To: django-announce <[email protected]> Subject: [django-announce] Django security releases issued: 1.10.7, 1.9.13, and 1.8.18 Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our security process. These releases address two security issues, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ As a reminder, we ask that potential security issues be reported via private email to [email protected] and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.
  3. • Setup reporting channel • Monitor reporting channel • Fix

    the issue • Release & Announce • Learn from it
  4. <script> var json = JSON.parse(“{{ data | escapejs }}”); </script>

    https://code.djangoproject.com/ticket/17419 Avoiding XSS
  5. <div data-foo=”{{ data }}” id=”json2”></div> In your .js file (with

    jQuery) $(‘#json2’).data(‘foo’) https://code.djangoproject.com/ticket/17419 Avoiding XSS