As title, because of urlpatterns are setting numeral parameter, i tend to think that HttpResponseRedirect won't suffer from xss attack, am i right?
If not, how does HttpResponseRedirect suffer from it?
urls.py
from django.urls import path
from hello import views
app_name = 'hello'
urlpatterns = [
path("", views.home, name="home"),
# ex: /hello/5/
path('<int:question_id>/', views.detail, name='detail'),
path('<int:question_id>/results/', views.results, name='results'),
]
views.py
def detail(request, question_id):
return HttpResponseRedirect(reverse('hello:results', args=(question.id,)))
Django is generally secure by default framework, that means that it should not be vulnerable to the most common attacks (such as XSS, SQLi etc.).
As long as you didn't use mark_safe() method (reference) or safe template tag (<span id="search-query" >You searched for {{ query | safe }}</span>) you should be safe from XSS attacks etc., because Django automatically escapes dangerous strings.
In your particullar case, XSS is impossible, as your URL accepts integers only (and as far as I understand, it displays only an ID of the question in the browser).
To sum up, for XSS in Django you have to use {{ something | safe }} template tag, and load a string with malicious XSS payload to the HTML template.