language-servers/ruff
1
0
Fork 0
mirror of https://github.com/astral-sh/ruff.git synced 2025-10-01 14:21:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
ruff/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S308.py
Mauro Fontana 4da6936ec4
[flake8-bandit] Allow raw strings in suspicious-mark-safe-usage (S308) #16702 (#16770) 
## Summary
Stop flagging each invocation of `django.utils.safestring.mark_safe`
(also available at, `django.utils.html.mark_safe`) as an error.

Instead, allow string literals as valid uses for `mark_safe`.

Also, update the documentation, pointing at
`django.utils.html.format_html` for dynamic content generation use
cases.

Closes #16702 

## Test Plan
I verified several possible uses, but string literals, are still
flagged.

---------

Co-authored-by: Micha Reiser <micha@reiser.io>
2025-03-17 11:29:07 +01:00

43 lines
1,014 B
Python
Raw Blame History

from django.utils.safestring import mark_safe
def bad_func():
inject = "harmful_input"
mark_safe(inject)
mark_safe("I will add" + inject + "to my string")
mark_safe("I will add %s to my string" % inject)
mark_safe("I will add {} to my string".format(inject))
mark_safe(f"I will add {inject} to my string")
def good_func():
mark_safe("I won't inject anything")
@mark_safe
def some_func():
return '<script>alert("evil!")</script>'
from django.utils.html import mark_safe
def bad_func():
inject = "harmful_input"
mark_safe(inject)
mark_safe("I will add" + inject + "to my string")
mark_safe("I will add %s to my string" % inject)
mark_safe("I will add {} to my string".format(inject))
mark_safe(f"I will add {inject} to my string")
def good_func():
mark_safe("I won't inject anything")
@mark_safe
def some_func():
return '<script>alert("evil!")</script>'
# https://github.com/astral-sh/ruff/issues/15522
map(mark_safe, [])
foo = mark_safe
Reference in a new issue View git blame Copy permalink