Lack of sanitization of user data

Docs > Code Analysis > Static Analysis Rules > Lack of sanitization of user data

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-django/http-response-from-request

Language: Python

Severity: Error

Category: Security

CWE: 22

Description

The response sent with an HttpResponse contains unsanitized request data. The data should be sanitized before being returns in an HttpResponse.

Learn More

CWE-20: Improper Input Validation

Non-Compliant Code Examples

def execute_command(request):
    data = request.GET.get("data")
    print("foobar")
    foo = HttpResponse("data: '{0}'".format(data))
    foo = HttpResponse(data)
    return HttpResponse("data: '{0}'".format(data))

Compliant Code Examples

def execute_command(request):
    data = request.GET.get("data")
    print("foobar")
    return HttpResponse("user '{user}' does not exist".format(sanitize_data(data)))