JavaScript and HTML code is subject to XSS attacks if user input is not correctly sanitized.


Read the Django docs on XSS

We occasionally use the safe filter within templates and the mark_safe function in views.

Read the docs on Django’s html and safestring utils.

JavaScript templates

HQ uses Underscore templates templates in some areas. Default to using <%- ... %> syntax to interpolate values, which properly escapes.

Any value interpolated with <%= ... %> must be previously escaped.

JavaScript code

In Knockout, be sure to escape any value passed to an html binding.

The DOMPurify library is available to sanitize user input. DOMPurify works by stripping potentially malicious markup. It does not escape input.