Always verify that user-controlled content in templates is properly HTML-escaped to prevent XSS attacks. Don’t just assume framework defaults are working - actively test with potentially malicious input to confirm that HTML tags are rendered as text rather than executed.
When displaying dynamic content in templates, test with HTML payloads like <img src=x /> or <script>alert('xss')</script> to ensure they appear as literal text. For Django templates, confirm that the standard `` syntax properly escapes HTML characters, converting < to <, > to >, etc.
Example verification:
<!-- Template: -->
<p>API Key: <strong></strong></p>
<!-- Test input: more_info = "<img src=x />" -->
<!-- Expected output: API Key: <strong><img src=x /></strong> -->
<!-- NOT: API Key: <strong><img src=x /></strong> -->
This practice helps catch cases where unsafe rendering methods might be accidentally used or where framework protections might not apply.
Enter the URL of a public GitHub repository