Sonar: Set content type to `application/json` for `django.http.HttpResponse` with JSON data
sonar:python/django-json-response-type-S5131​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
Medium | Merge Without Review | Yes (Sonar) |
This codemod acts upon the following Sonar rules: pythonsecurity:S5131.
The default content_type
for HttpResponse
in Django is 'text/html'
. This is true even when the response contains JSON data.
If the JSON contains (unsanitized) user-supplied input, a malicious user may supply HTML code which leaves the application vulnerable to cross-site scripting (XSS).
This fix explicitly sets the response type to application/json
when the response body is JSON data to avoid this vulnerability. Our changes look something like this:
from django.http import HttpResponse
import json
def foo(request):
json_response = json.dumps({ "user_input": request.GET.get("input") })
- return HttpResponse(json_response)
+ return HttpResponse(json_response, content_type="application/json")
If you have feedback on this codemod, please let us know!
F.A.Q.​
Why is this codemod marked as Merge Without Review?​
This change will only restrict the response type and will not alter the response data itself. Thus we deem it safe.
Codemod Settings​
N/A