Security
JavaScript and HTML code is subject to XSS attacks if user input is not correctly sanitized.
Python
Read the Django docs on XSS
We occasionally use the safe
filter within templates and the
mark_safe
function in views.
Read the docs on Django’s html and safestring utils.
JavaScript templates
HQ uses Underscore templates
templates in some areas. Default to using <%- ... %>
syntax to
interpolate values, which properly escapes.
Any value interpolated with <%= ... %>
must be previously escaped.
JavaScript code
In Knockout, be sure to escape any value passed to an html binding.
The DOMPurify library is available to sanitize user input. DOMPurify works by stripping potentially malicious markup. It does not escape input.