DataDog · avara1986 · Feb 17, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 30, 2025
@@ -197,7 +197,8 @@ tests/:
           TestXPathInjection_ExtendedLocation: missing_feature
           TestXPathInjection_StackTrace: missing_feature
         test_xss.py:
-          TestXSS: missing_feature
+          TestXSS:
+            '*': v3.0.0.dev
           TestXSS_ExtendedLocation: missing_feature
           TestXSS_StackTrace: missing_feature
       source/:

@@ -15,7 +15,10 @@ class TestXSS(BaseSinkTestWithoutTelemetry):
     insecure_endpoint = "/iast/xss/test_insecure"
     secure_endpoint = "/iast/xss/test_secure"
     data = {"param": "param"}
-    location_map = {"java": "com.datadoghq.system_tests.iast.utils.XSSExamples"}
+    location_map = {
+        "java": "com.datadoghq.system_tests.iast.utils.XSSExamples",
+        "python": {"django-poc": "app/urls.py"},
+    }
 
 
 @rfc(

@@ -16,6 +16,8 @@
 from django.http import HttpResponse, HttpResponseBadRequest, JsonResponse
 from django.urls import path
 from django.views.decorators.csrf import csrf_exempt
+from django.shortcuts import render
+from django.utils.safestring import mark_safe
 from moto import mock_aws
 import urllib3
 from iast import (
@@ -530,6 +532,20 @@ def view_iast_ssrf_secure(request):
     return HttpResponse("OK")
 
 
+@csrf_exempt
+def view_iast_xss_insecure(request):
+    param = request.POST.get("param", "")
+    # Validate the URL and enforce whitelist
+    return render(request, "index.html", {"param": mark_safe(param)})
+
+
+@csrf_exempt
+def view_iast_xss_secure(request):
+    param = request.POST.get("param", "")
+    # Validate the URL and enforce whitelist
+    return render(request, "index.html", {"param": param})
+
+
 @csrf_exempt
 def view_iast_stacktraceleak_insecure(request):
     return HttpResponse("""
@@ -980,6 +996,8 @@ def s3_multipart_upload(request):
     path("iast/path_traversal/test_secure", view_iast_path_traversal_secure),
     path("iast/ssrf/test_insecure", view_iast_ssrf_insecure),
     path("iast/ssrf/test_secure", view_iast_ssrf_secure),
+    path("iast/xss/test_insecure", view_iast_xss_insecure),
+    path("iast/xss/test_secure", view_iast_xss_secure),
     path("iast/stack_trace_leak/test_insecure", view_iast_stacktraceleak_insecure),
     path("iast/stack_trace_leak/test_secure", view_iast_stacktraceleak_secure),
     path("iast/source/body/test", view_iast_source_body),

@@ -55,7 +55,9 @@
 TEMPLATES = [
     {
         "BACKEND": "django.template.backends.django.DjangoTemplates",
-        "DIRS": [],
+        "DIRS": [
+            os.path.join(BASE_DIR, "django_app", "templates"),
+        ],
         "APP_DIRS": True,
         "OPTIONS": {
             "context_processors": [

@@ -0,0 +1,5 @@
+<html>
+<body>
+<p>Input: {{ user_input }}</p>
+</body>
+</html>
@@ -7,7 +7,7 @@ RUN apt-get update && apt-get install -y curl git gcc g++ make cmake
 RUN python --version && curl --version
 
 # install python deps
-RUN pip install fastapi uvicorn cryptography==42.0.8 pycryptodome python-multipart
+RUN pip install fastapi uvicorn cryptography==42.0.8 pycryptodome python-multipart jinja2
 
 # Install Rust toolchain
 RUN curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain stable -y

@@ -14,13 +14,15 @@
 from fastapi import Header
 from fastapi import Request
 from fastapi.responses import JSONResponse
+from fastapi.responses import HTMLResponse
 from fastapi.responses import PlainTextResponse
 from iast import weak_cipher
 from iast import weak_cipher_secure_algorithm
 from iast import weak_hash
 from iast import weak_hash_duplicates
 from iast import weak_hash_multiple
 from iast import weak_hash_secure_algorithm
+from jinja2 import Template
 import psycopg2
 from pydantic import BaseModel
 import requests
@@ -913,6 +915,20 @@ def safe_eval(expr):
     return "OK"
 
 
+@app.post("/iast/xss/test_insecure", response_class=PlainTextResponse)
+async def view_iast_xss_insecure(param: typing.Annotated[str, Form()]):
+    template = Template("<p>{{ param|safe }}</p>")
+    html = template.render(param=param)
+    return HTMLResponse(html)
+
+
+@app.post("/iast/xss/test_secure", response_class=PlainTextResponse)
+async def view_iast_xss_secure(param: typing.Annotated[str, Form()]):
+    template = Template("<p>{{ param }}</p>")
+    html = template.render(param=param)
+    return HTMLResponse(html)
+
+
 @app.get("/createextraservice", response_class=PlainTextResponse)
 def create_extra_service(serviceName: str = ""):
     if serviceName:

@@ -30,10 +30,12 @@
 from flask import Flask
 from flask import Response
 from flask import jsonify
+from flask import render_template_string
 from flask import request
 from flask import request as flask_request
 from flask_login import LoginManager
 from flask_login import login_user
+
 from iast import weak_cipher
 from iast import weak_cipher_secure_algorithm
 from iast import weak_hash
@@ -1235,6 +1237,20 @@ def safe_eval(expr):
     return resp
 
 
+@app.route("/iast/xss/test_insecure", methods=["POST"])
+def view_iast_xss_insecure():
+    param = flask_request.form["param"]
+
+    return render_template_string("<p>XSS: {{ param|safe }}</p>", param=param)
+
+
+@app.route("/iast/xss/test_secure", methods=["POST"])
+def view_iast_xss_secure():
+    param = flask_request.form["param"]
+
+    return render_template_string("<p>XSS: {{ param }}</p>", param=param)
+
+
 _TRACK_METADATA = {
     "metadata0": "value0",
     "metadata1": "value1",