0
0
Djangoframework~20 mins

XSS prevention in templates in Django - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
XSS Prevention Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What will this Django template output?
Consider this Django template snippet:
{% autoescape on %}{{ user_input }}{% endautoescape %}

If user_input is <script>alert('XSS')</script>, what will be rendered in the browser?
Django
{% autoescape on %}{{ user_input }}{% endautoescape %}
AScript tag removed completely
Balert('XSS')
C&lt;script&gt;alert('XSS')&lt;/script&gt;
D&amp;lt;script&amp;gt;alert(&#x27;XSS&#x27;)&amp;lt;/script&amp;gt;
Attempts:
2 left
💡 Hint
Think about what autoescape does to HTML special characters.
📝 Syntax
intermediate
2:00remaining
Which template syntax disables autoescaping for a variable?
In Django templates, how do you output a variable user_input without escaping HTML?
A{{ user_input|raw }}
B{% autoescape off %}{{ user_input }}{% endautoescape %}
C{{ user_input|escape }}
D{{ user_input|safe }}
Attempts:
2 left
💡 Hint
One option is a filter that marks the string as safe.
🔧 Debug
advanced
2:00remaining
Why does this template still allow XSS?
Given this template:
{{ user_input|safe }}

and user_input contains <img src=x onerror=alert(1)>, why is this a security risk?
Django
{{ user_input|safe }}
ABecause |safe disables escaping, allowing scripts in user input to run
BBecause the img tag is removed automatically
CBecause Django autoescapes by default, so this is safe
DBecause onerror attribute is sanitized by Django
Attempts:
2 left
💡 Hint
Think about what |safe does to user input.
🧠 Conceptual
advanced
2:00remaining
How does Django's autoescaping protect against XSS?
Which statement best describes Django's autoescaping feature in templates?
AIt converts special HTML characters in variables to safe entities to prevent script execution
BIt removes all HTML tags from user input automatically
CIt encrypts user input before rendering
DIt disables JavaScript in the browser
Attempts:
2 left
💡 Hint
Think about what happens to < and > characters.
state_output
expert
2:00remaining
What is the output count of links rendered safely?
In this Django template:
{% for link in links %}{{ link|urlize }}
{% endfor %}

Given links = ['http://example.com', 'javascript:alert(1)', 'https://safe.com'], how many links will be rendered as clickable safe URLs?
Django
{% for link in links %}{{ link|urlize }}<br>{% endfor %}
A0
B2
C1
D3
Attempts:
2 left
💡 Hint
urlize only makes safe URLs clickable, ignoring javascript: links.