1π
Iβm not especially familiar with Django, but it looks to me like the error they intended to point out is that there are no quotes around the attribute value, meaning that the space in the example value causes the rest of the string (onmouseover=...) to be interpreted as a separate attribute. Instead, you should put quotes like so:
<style class="{{ var }}">...</style>
If I understand correctly, this would be safe since all the characters that could interfere with the quoting are escaped. You might want to verify that interpretation; for example, write <span title="{{ var }}">foo</span>, run the template with foo set to <>"'&, and then make sure that theyβre properly escaped in the HTML and that the title appears in the browser with the original characters.
1π
One thing you can do is not allow variable classes. You can use something like
<style class={% if class_foo %}foo{% elif class_bar %}bar{% else %}baz{% endif %}>...</style>
There are also filters available to prevent xss elsewhere: https://docs.djangoproject.com/en/dev/ref/templates/builtins/#std:templatefilter-escape
- [Answered ]-Django admin truncate words in list display
- [Answered ]-Parsing forloop.counter in form's label in Django
- [Answered ]-Matplotlib and django templates
- [Answered ]-Django allauth access views
- [Answered ]-Searching features implementation in django project