From 15756da1f02fb997bdcc77f502a471e5466e56a2 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Tue, 6 Jun 2017 09:21:44 -0700
Subject: [PATCH] mention csp for javascript: uri xss closes #2174 [ci skip]

---
 docs/security.rst | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/docs/security.rst b/docs/security.rst
index 0d4cfdeb..b8714186 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -38,7 +38,7 @@ either double or single quotes when using Jinja expressions in them:
 
 .. sourcecode:: html+jinja
 
-   <a href="{{ href }}">the text</a>
+    <input value="{{ value }}">
 
 Why is this necessary?  Because if you would not be doing that, an
 attacker could easily inject custom JavaScript handlers.  For example an
@@ -46,15 +46,26 @@ attacker could inject this piece of HTML+JavaScript:
 
 .. sourcecode:: html
 
-   onmouseover=alert(document.cookie)
+    onmouseover=alert(document.cookie)
 
-When the user would then move with the mouse over the link, the cookie
+When the user would then move with the mouse over the input, the cookie
 would be presented to the user in an alert window.  But instead of showing
 the cookie to the user, a good attacker might also execute any other
 JavaScript code.  In combination with CSS injections the attacker might
 even make the element fill out the entire page so that the user would
 just have to have the mouse anywhere on the page to trigger the attack.
 
+There is one class of XSS issues that Jinja's escaping does not protect
+against. The ``a`` tag's ``href`` attribute can contain a `javascript:` URI,
+which the browser will execute when clicked if not secured properly.
+
+.. sourcecode:: html
+
+    <a href="{{ value }}">click here</a>
+    <a href="javascript:alert('unsafe');">click here</a>
+
+To prevent this, you'll need to set the :ref:`security-csp` response header.
+
 Cross-Site Request Forgery (CSRF)
 ---------------------------------
 
@@ -125,6 +136,8 @@ man-in-the-middle (MITM) attacks. ::
 
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
+.. _security-csp:
+
 Content Security Policy (CSP)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -132,7 +145,7 @@ Tell the browser where it can load various types of resource from. This header
 should be used whenever possible, but requires some work to define the correct
 policy for your site. A very strict policy would be::
 
-    response.headers['Content-Security-Policy'] = "default-src: 'self'"
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
 
 - https://csp.withgoogle.com/docs/index.html
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy