Read the Django docs on XSS
We occasionally use the
safe filter within templates and the
mark_safe function in views.
HQ uses Underscore templates
templates in some areas. Default to using
<%- ... %> syntax to
interpolate values, which properly escapes.
Any value interpolated with
<%= ... %> must be previously escaped.
In Knockout, be sure to escape any value passed to an html binding.
The DOMPurify library is available to sanitize user input. DOMPurify works by stripping potentially malicious markup. It does not escape input.