Security

JavaScript and HTML code is subject to XSS attacks if user input is not correctly sanitized.

Python

We occasionally use the safe filter within templates and the mark_safe function in views.

Read the docs on Django’s html and safestring utils.

HQ uses Underscore templates templates in some areas. Default to using <%- ... %> syntax to interpolate values, which properly escapes.

Any value interpolated with <%= ... %> must be previously escaped.

In Knockout, be sure to escape any value passed to an html binding.

The DOMPurify library is available to sanitize user input. DOMPurify works by stripping potentially malicious markup. It does not escape input.