Mengurangi kemungkinan serangan XSS melalui mengalihkan URL penyediaan-pengguna¶

Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as %08//example.com as relative paths so redirection to an unsafe target isn't a problem either.

Bagaimanapun, jika seorang pengembang bergantung pada is_safe_url() untuk menyediakan ssaran pengalihan aman dan menaruh URL itu kedalam sebuah tautan, mereka dapat menderita dari sebuah serangan XSS ketika beberapa peramban seperti Google Chrome mengabaikan kendali karakter pada awal dari URL di sebuah jangkar href.