Merge pull request #326 from gofiber/django-autoescape

fix: Django autoescape should be enable by default

django/README.md

@@ -59,9 +59,9 @@ func main() {
 	// Create a new engine
 	engine := django.New("./views", ".django")
 
-  // Or from an embedded system
-  // See github.com/gofiber/embed for examples
-  // engine := html.NewFileSystem(http.Dir("./views", ".django"))
+	// Or from an embedded system
+	// See github.com/gofiber/embed for examples
+	// engine := html.NewFileSystem(http.Dir("./views", ".django"))
 
 	// Pass the engine to the Views
 	app := fiber.New(fiber.Config{
@@ -194,4 +194,44 @@ If you need to access a value in the template that doesn't adhere to the key nam
 c.Render("index", fiber.Map{
     "Fiber": "Hello, World!\n\nGreetings from Fiber Team",
     "MyKey": c.Locals("my-key"),
-})
+})
+
+### AutoEscape is enabled by default
+
+When you create a new instance of the `Engine`, the auto-escape is **enabled by default**. This setting automatically escapes output, providing a critical security measure against Cross-Site Scripting (XSS) attacks.
+
+### Disabling Auto-Escape
+
+Auto-escaping can be disabled if necessary, using the `SetAutoEscape` method:
+
+```go
+engine := django.New("./views", ".django")
+engine.SetAutoEscape(false)
+```
+
+### Setting AutoEscape using Django built-in template tags
+
+- Explicitly turning off autoescaping for a section:
+```django  
+  {% autoescape off %}
+  {{ "<script>alert('Hello World');</script>" }}
+  {% endautoescape %}
+```
+
+- Turning autoescaping back on for a section:
+```django
+  {% autoescape on %}
+  {{ "<script>alert('Hello World');</script>" }}
+  {% endautoescape %}
+```
+- It can also be done on a per variable basis using the *safe* built-in:
+```django
+<h1>{{ someSafeVar | safe }}</h1>
+{{ "<script>" | safe }}
+```
+
+### Security Implications of Disabling Auto-Escape
+
+Disabling auto-escape should be approached with caution. It can expose your application to XSS attacks, where malicious scripts are injected into web pages. Without auto-escaping, there is a risk of rendering harmful HTML or JavaScript from user-supplied data.
+
+It is advisable to keep auto-escape enabled unless there is a strong reason to disable it. If you do disable it, ensure all user-supplied content is thoroughly sanitized and validated to avoid XSS vulnerabilities.

django/django.go

@@ -21,6 +21,8 @@ type Engine struct {
 	core.Engine
 	// forward the base path to the template Engine
 	forwardPath bool
+	// set auto escape globally
+	autoEscape bool
 	// templates
 	Templates map[string]*pongo2.Template
 }
@@ -36,6 +38,7 @@ func New(directory, extension string) *Engine {
 			LayoutName: "embed",
 			Funcmap:    make(map[string]interface{}),
 		},
+		autoEscape: true,
 	}
 	return engine
 }
@@ -52,6 +55,7 @@ func NewFileSystem(fs http.FileSystem, extension string) *Engine {
 			LayoutName: "embed",
 			Funcmap:    make(map[string]interface{}),
 		},
+		autoEscape: true,
 	}
 	return engine
 }
@@ -70,6 +74,7 @@ func NewPathForwardingFileSystem(fs http.FileSystem, directory, extension string
 			LayoutName: "embed",
 			Funcmap:    make(map[string]interface{}),
 		},
+		autoEscape: true,
 		forwardPath: true,
 	}
 	return engine
@@ -101,7 +106,8 @@ func (e *Engine) Load() error {
 	pongoset := pongo2.NewSet("default", pongoloader)
 	// Set template settings
 	pongoset.Globals.Update(e.Funcmap)
-	pongo2.SetAutoescape(false)
+	// Set autoescaping
+	pongo2.SetAutoescape(e.autoEscape)
 
 	// Loop trough each Directory and register template files
 	walkFn := func(path string, info os.FileInfo, err error) error {
@@ -207,6 +213,11 @@ func isValidKey(key string) bool {
 	return true
 }
 
+// SetAutoEscape sets the auto-escape property of the template engine
+func (e *Engine) SetAutoEscape(autoEscape bool) {
+	e.autoEscape = autoEscape
+}
+
 // Render will render the template by name
 func (e *Engine) Render(out io.Writer, name string, binding interface{}, layout ...string) error {
 	if !e.Loaded || e.ShouldReload {
@@ -231,7 +242,16 @@ func (e *Engine) Render(out io.Writer, name string, binding interface{}, layout
 		if bind == nil {
 			bind = make(map[string]interface{}, 1)
 		}
-		bind[e.LayoutName] = parsed
+
+		// Workaround for custom {{embed}} tag
+		// Mark the `embed` variable as safe
+		// it has already been escaped above
+		// e.LayoutName will be 'embed'
+		safeEmbed := pongo2.AsSafeValue(parsed)
+
+		// Add the safe value to the binding map
+		bind[e.LayoutName] = safeEmbed
+
 		lay := e.Templates[layout[0]]
 		if lay == nil {
 			return fmt.Errorf("LayoutName %s does not exist", layout[0])

django/django_test.go

@@ -311,6 +311,37 @@ func Test_Invalid_Layout(t *testing.T) {
 	require.Error(t, err)
 }
 
+func Test_XSS(t *testing.T) {
+	engine := New("./views", ".django")
+	require.NoError(t, engine.Load())
+
+	var buf bytes.Buffer
+	err := engine.Render(&buf, "index", map[string]interface{}{
+		"Title": "<script>alert('XSS')</script>",
+	}, "layouts/main")
+	require.NoError(t, err)
+
+	expect := `<!DOCTYPE html><html><head><title>Main</title></head><body><h2>Header</h2><h1>&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;</h1><h2>Footer</h2></body></html>`
+	result := trim(buf.String())
+	require.Equal(t, expect, result)
+}
+
+func Test_XSS_WithAutoEscapeDisabled(t *testing.T) {
+    engine := New("./views", ".django")
+    engine.SetAutoEscape(false)
+    require.NoError(t, engine.Load())
+
+    var buf bytes.Buffer
+    err := engine.Render(&buf, "index", map[string]interface{}{
+        "Title": "<script>alert('XSS')</script>",
+    }, "layouts/main")
+    require.NoError(t, err)
+
+    expect := `<!DOCTYPE html><html><head><title>Main</title></head><body><h2>Header</h2><h1><script>alert('XSS')</script></h1><h2>Footer</h2></body></html>`
+    result := trim(buf.String())
+    require.Equal(t, expect, result)
+}
+
 func Benchmark_Django(b *testing.B) {
 	expectSimple := `<h1>Hello, World!</h1>`
 	expectExtended := `<!DOCTYPE html><html><head><title>Main</title></head><body><h2>Header</h2><h1>Hello, Admin!</h1><h2>Footer</h2></body></html>`