xss-utils

xss-utils

Utilities to prevent possible Cross Site Scripting (XSS) attacks on Django/Mako templates.

Overview

This repo houses utility functions to protect edx codebase (Python, Javascript and other templating engine eg django/mako) against possible XSS attacks. Helper code include html & js escaping filters for django and mako templates. For more information, please read Preventing Cross Site Scripting Vulnerabilities <https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/index.html>_.

Documentation

The full documentation is in the docs directory TODO: Publish to https://xss-utils.readthedocs.org.

License

The code in this repository is licensed under the AGPL 3.0 unless otherwise noted.

Please see LICENSE.txt for details.

How To Contribute

Contributions are very welcome.

Please read How To Contribute <https://github.com/openedx/.github/blob/master/CONTRIBUTING.md>_ for details.

PR description template should be automatically applied if you are sending PR from github interface; otherwise you can find it it at PULL_REQUEST_TEMPLATE.md <https://github.com/openedx/xss-utils/blob/master/.github/PULL_REQUEST_TEMPLATE.md>_

Issue report template should be automatically applied if you are sending it from github UI as well; otherwise you can find it at ISSUE_TEMPLATE.md <https://github.com/openedx/xss-utils/blob/master/.github/ISSUE_TEMPLATE.md>_

Reporting Security Issues

Please do not report security issues in public. Please email security@openedx.org.

Getting Help

Have a question about this repository, or about Open edX in general? Please refer to this list of resources_ if you need any assistance.

.. _list of resources: https://open.edx.org/getting-help

.. |pypi-badge| image:: https://img.shields.io/pypi/v/xss-utils.svg :target: https://pypi.python.org/pypi/xss-utils/ :alt: PyPI

.. |ci-badge| image:: https://github.com/openedx/xss-utils/workflows/Python%20CI/badge.svg?branch=master :target: https://github.com/openedx/xss-utils/actions?query=workflow%3A%22Python+CI%22 :alt: CI

.. |codecov-badge| image:: http://codecov.io/github/edx/xss-utils/coverage.svg?branch=master :target: http://codecov.io/github/edx/xss-utils?branch=master :alt: Codecov

.. |doc-badge| image:: https://readthedocs.org/projects/xss-utils/badge/?version=latest :target: http://xss-utils.readthedocs.io/en/latest/ :alt: Documentation

.. |pyversions-badge| image:: https://img.shields.io/pypi/pyversions/xss-utils.svg :target: https://pypi.python.org/pypi/xss-utils/ :alt: Supported Python versions

.. |license-badge| image:: https://img.shields.io/github/license/edx/xss-utils.svg :target: https://github.com/openedx/xss-utils/blob/master/LICENSE.txt :alt: License

Change Log

.. All enhancements and patches to xss_utils will be documented in this file. It adheres to the structure of http://keepachangelog.com/ , but in reStructuredText instead of Markdown (for ease of incorporation into Sphinx documentation and the PyPI description).

This project adheres to Semantic Versioning (http://semver.org/).

.. There should always be an "Unreleased" section for changes pending release.

Unreleased

[0.6.0] - 2024-04-22

• Test and declare Python 3.11 and 3.12 compatibility.

[0.5.0] - 2023-08-01

* Switch from ``edx-sphinx-theme`` to ``sphinx-book-theme`` since the former is
  deprecated.  See https://github.com/openedx/edx-sphinx-theme/issues/184 for
  more details.
* Added supportt for Django 4.2

[0.4.0] - 2022-01-20

Added

---

• Added Support for Django40

Dropped

---

• Dropped Django22, 30, 31 from CI

[0.3.0] - 2021-07-07

Added
_____

* Support for django3.0, 3.1, 3.2

[0.1.0] - 2018-08-17

Added

---

• Utilities to enable html escaping, preventing Cross Site Scripting (XSS) attacks in Django templates.