Search code examples
pythondjangoxsssanitizationcheckmarx

Checkmarx Reflected XSS

I have a Django based API. After scanning my application with CheckMarx if showed that I have Reflected XSS volnurability here:

user_input_data = json.loads(request.GET.get('user_input_data'))

What I already tried:

  1. Used django.utils.html.escpae
  2. Used django.utils.html.strip_tags
  3. Used html.escape
  4. Used escapejson package

Every time I run scanning, it finds stored XSS at exactly this location

Solution

  • What you have tried are correct and acceptable but Checkmarx's support to Django is somewhat limited which is why its not recognizing any of the functions you used. You need to argue with your security team about this and have them recognize that this is one of the proper ways of preventing XSS.

    A rudimentary way of sanitizing input by using the replace function and replacing the '<' and '>' characters. Not a robust way, but that is what Checkmarx recognizes

    def escape(s, quote=None):
    '''Replace special characters "&", "<" and ">" to HTML-safe sequences.
    If the optional flag quote is true, the quotation mark character (")
is also translated.'''
    s = s.replace("&", "&amp;") # Must be done first!
    s = s.replace("<", "&lt;")
    s = s.replace(">", "&gt;")
    if quote:
        s = s.replace('"', "&quot;")
    return s

    credit from this code snippet post