#Is Django JsonResponse data safe from XSS when used directly in JavaScript?

1 messages · Page 1 of 1 (latest)

south robin
#

I return data like client names and descriptions via JsonResponse from Django. Is it safe to use this directly in the DOM, or do I need XSS protection? (normally I just use templates, and follow https://docs.djangoproject.com/en/5.2/ref/templates/builtins/#std-templatefilter-json_script, but this needs to be loaded in dynamically)

# Fetching data from ORM...
return JsonResponse([{
    'title': f"{client.first_name} {client.last_name}",
    ...
}], safe=False)

How do you access this securely in my JS?
Like this? (in this case the fetch happens in fullcalendar event)

const title = event.extendedProps.title

Or should i create divs, and set the textContent of those to the values before?

Django Project
Built-in template tags and filters | Django documentation

The web framework for perfectionists with deadlines.

prime cradle
#

Is it safe to use this directly in the DOM, or do I need XSS protection?
no, it is not safe to use directly. yes you need XSS protection

#

you mention fullCalendar - if that's the only place that you'll be consuming this data, I would expect that library to escape the unsafe characters, but of course, you should validate this!

#

if you need to escape it yourself, https://www.npmjs.com/package/dompurify appears to be a good solution

npm
dompurify

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin. Latest version: 3.2.6, last published: 18 days ago. Start using dompurify in your project ...