Refactor risk acceptance details display#14283
Merged
Conversation
…or decision and recommendation details
🟡 Please give this pull request extra attention during review.This pull request introduces several instances where user-controlled fields (risk_acceptance.filename, decision_details, recommendation_details) are interpolated directly into HTML attributes (data-content) used by JS popovers without attribute-context escaping or sanitization, creating a stored XSS risk if those fields can contain quotes or HTML. The scanner flags these as risky (non-blocking) locations in dojo/templates/dojo/view_eng.html and dojo/templates/dojo/view_risk_acceptance.html and recommends applying proper attribute-appropriate escaping or sanitization.
🟡 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Unescaped user-controlled fields (risk_acceptance.decision_details and risk_acceptance.filename) are injected directly into an HTML attribute data-content within an tag. Django auto-escapes template variables in HTML content, but when placed inside a double-quoted attribute, quotes or HTML entities in the variable can break out of the attribute if not properly escaped. The template uses {{ risk_acceptance.decision_details }} without any attribute-specific escaping or sanitization, and there is no evidence in the patch of prior sanitization. This provides a path for attacker-controlled content to reach a rendering sink (HTML attribute) without context-appropriate encoding, enabling XSS. |
django-DefectDojo/dojo/templates/dojo/view_eng.html
Lines 429 to 430 in a9f280f
🟡 Potential Cross-Site Scripting in dojo/templates/dojo/view_eng.html
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | User-controllable values (risk_acceptance.filename and risk_acceptance.decision_details) are injected into HTML attribute data-content of elements used by a JS popover without additional attribute-specific escaping or sanitization. Django templates auto-escape by default for HTML body context, but embedding a value inside a double-quoted HTML attribute still requires that quotes and other special characters be escaped for attribute context. The code uses {{ risk_acceptance.filename }} and {{ risk_acceptance.decision_details }} directly inside data-content="...". If either field can contain user-controlled characters such as double quotes or HTML/JS, they can break out of the attribute or change the popover content leading to XSS when the popover renders (especially since popover content may be interpreted as HTML by the JS plugin). No escape, urlencode, or a sanitizer (e.g., DOMPurify on the client or server-side cleaning) is applied in the template, and I did not find any surrounding code that sanitizes these model fields before rendering in the provided patch. Therefore a path exists from user-controlled data to a rendering sink without proper context-appropriate escaping or sanitization. |
django-DefectDojo/dojo/templates/dojo/view_eng.html
Lines 445 to 447 in a9f280f
🟡 Potential Cross-Site Scripting in dojo/templates/dojo/view_risk_acceptance.html
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | User-controlled fields risk_acceptance.recommendation_details, risk_acceptance.decision_details, and risk_acceptance.filename are rendered directly into HTML attributes (data-content) and into the template without any escaping/filtering. Django templates auto-escape variables when inserted into HTML body, but they are inserted into HTML attributes (data-content) that are later used by JS-driven popovers; if values contain quotes or HTML they can break out of the attribute or include HTML in the rendered popover. The patch shows direct use of {{ risk_acceptance.recommendation_details }} and {{ risk_acceptance.decision_details }} with no safe filtering or sanitization; there is no indication in the patch that these fields are sanitized before rendering. This creates a stored XSS risk if those fields can contain untrusted input. |
django-DefectDojo/dojo/templates/dojo/view_risk_acceptance.html
Lines 142 to 154 in a9f280f
All finding details can be found in the DryRun Security Dashboard.
Jino-T
approved these changes
Feb 10, 2026
valentijnscholten
approved these changes
Feb 11, 2026
blakeaowens
approved these changes
Feb 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove markdown rendering for decision and recommendation details in the risk acceptance display to simplify the presentation of information. This change enhances clarity and consistency in the user interface.
[sc-12782]