You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(showcases): remove http syntax highlighting in django-unicorn guide
Updates code blocks to use generic formatting instead of explicit HTTP syntax highlighting. This ensures better compatibility with documentation rendering and avoids potential highlighting artifacts in examples that combine HTTP-like structures with JSON payloads.
Copy file name to clipboardExpand all lines: website/source/content/docs/collection/showcases/django-unicorn.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -65,7 +65,7 @@ The function performs both `getattr` and `__getitem__` for resolution (Agnostic-
65
65
66
66
This functionality is triggered via component requests by specifying the request type as `syncInput`:
67
67
68
-
```http
68
+
```
69
69
POST /unicorn/message/COMPONENT_NAME
70
70
71
71
{
@@ -93,7 +93,7 @@ By setting `property_name` to a path like `__init__.__globals__`, the component
93
93
94
94
Django-Unicorn uses the `EntitySubstitution` rule from BeautifulSoup to sanitize HTML in template responses. This rule is stored in a global dictionary that can be polluted.
95
95
96
-
```http
96
+
```
97
97
POST /unicorn/message/todo HTTP/1.1
98
98
99
99
{
@@ -121,7 +121,7 @@ POST /unicorn/message/todo HTTP/1.1
121
121
122
122
Django-Unicorn always includes a script tag in the webpage where a `NAME` value is dynamically extracted from the `MORPHER_NAMES` and `DEFAULT_MORPHER_NAME` variables in the settings module. Django by default escapes special characters into unicode sequences via the `_json_script_escapes` variable. By clearing this sanitizer and polluting the settings, we achieve stored XSS.
123
123
124
-
```http
124
+
```
125
125
POST /unicorn/message/todo HTTP/1.1
126
126
127
127
{
@@ -164,7 +164,7 @@ POST /unicorn/message/todo HTTP/1.1
164
164
165
165
Django stores its error page source code in the global variable `ERROR_PAGE_TEMPLATE` at `django/views/defaults.py`. By polluting this variable, any user triggering an error (e.g., accessing a nonexistent resource) will execute the attacker's payload.
166
166
167
-
```http
167
+
```
168
168
POST /unicorn/message/todo HTTP/1.1
169
169
170
170
{
@@ -192,7 +192,7 @@ POST /unicorn/message/todo HTTP/1.1
192
192
193
193
Django's `SECRET_KEY` is used to sign and verify session cookies and other security mechanisms. By polluting its runtime value, an attacker can forge session cookies to log in as any user.
194
194
195
-
```http
195
+
```
196
196
POST /unicorn/message/todo HTTP/1.1
197
197
198
198
{
@@ -220,7 +220,7 @@ POST /unicorn/message/todo HTTP/1.1
220
220
221
221
The `timed` decorator is used to wrap many important functions in django-unicorn, such as `_call_method_name`. By polluting it to a string, all decorated function calls become uncallable.
222
222
223
-
```http
223
+
```
224
224
POST /unicorn/message/todo HTTP/1.1
225
225
226
226
{
@@ -250,7 +250,7 @@ By polluting the `location_cache` object, attackers achieve arbitrary module imp
250
250
251
251
**Step 1**: Pollute `location_cache` to trigger `antigravity` module import on next request:
252
252
253
-
```http
253
+
```
254
254
POST /unicorn/message/todo HTTP/1.1
255
255
256
256
{
@@ -277,7 +277,7 @@ POST /unicorn/message/todo HTTP/1.1
277
277
278
278
**Step 2**: Pollute `BROWSER` environment variable with the command injection payload:
0 commit comments