Refactor risk acceptance details display #14283
Merged
DryRunSecurity / Cross-Site Scripting Analyzer
succeeded
Feb 9, 2026 in 40s
DryRun Security
Details
Cross-Site Scripting Analyzer Findings: 3 detected
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/view_eng.html (click for details)
| Type | Potential Cross-Site Scripting |
| Description | Unescaped user-controlled fields (risk_acceptance.decision_details and risk_acceptance.filename) are injected directly into an HTML attribute data-content within an tag. Django auto-escapes template variables in HTML content, but when placed inside a double-quoted attribute, quotes or HTML entities in the variable can break out of the attribute if not properly escaped. The template uses {{ risk_acceptance.decision_details }} without any attribute-specific escaping or sanitization, and there is no evidence in the patch of prior sanitization. This provides a path for attacker-controlled content to reach a rendering sink (HTML attribute) without context-appropriate encoding, enabling XSS. |
| Filename | dojo/templates/dojo/view_eng.html |
| CodeLink | django-DefectDojo/dojo/templates/dojo/view_eng.html Lines 429 to 430 in a9f280f |
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/view_eng.html (click for details)
| Type | Potential Cross-Site Scripting |
| Description | User-controllable values (risk_acceptance.filename and risk_acceptance.decision_details) are injected into HTML attribute data-content of elements used by a JS popover without additional attribute-specific escaping or sanitization. Django templates auto-escape by default for HTML body context, but embedding a value inside a double-quoted HTML attribute still requires that quotes and other special characters be escaped for attribute context. The code uses {{ risk_acceptance.filename }} and {{ risk_acceptance.decision_details }} directly inside data-content="...". If either field can contain user-controlled characters such as double quotes or HTML/JS, they can break out of the attribute or change the popover content leading to XSS when the popover renders (especially since popover content may be interpreted as HTML by the JS plugin). No |
| Filename | dojo/templates/dojo/view_eng.html |
| CodeLink | django-DefectDojo/dojo/templates/dojo/view_eng.html Lines 445 to 447 in a9f280f |
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/view_risk_acceptance.html (click for details)
| Type | Potential Cross-Site Scripting |
| Description | User-controlled fields risk_acceptance.recommendation_details, risk_acceptance.decision_details, and risk_acceptance.filename are rendered directly into HTML attributes (data-content) and into the template without any escaping/filtering. Django templates auto-escape variables when inserted into HTML body, but they are inserted into HTML attributes (data-content) that are later used by JS-driven popovers; if values contain quotes or HTML they can break out of the attribute or include HTML in the rendered popover. The patch shows direct use of {{ risk_acceptance.recommendation_details }} and {{ risk_acceptance.decision_details }} with no safe filtering or sanitization; there is no indication in the patch that these fields are sanitized before rendering. This creates a stored XSS risk if those fields can contain untrusted input. |
| Filename | dojo/templates/dojo/view_risk_acceptance.html |
| CodeLink | django-DefectDojo/dojo/templates/dojo/view_risk_acceptance.html Lines 142 to 154 in a9f280f |
Loading