Real-World CVE XSS Exploit in Django Template Engine A Django app with autoescape enabled gets XSS. The team can't figure out how — the template engine is supposed to escape everything by default. What they missed: a single mark_safe() call in a view utility function, written three years ago to render "trusted" notification banners, now handles a code path that feeds in URL query parameters. The attacker sends a crafted link to a support rep, the rep clicks it while authenticated, and the session cookie is gone. This is the anatomy of that class of bug. How the Django Template XSS Bug Works The Django template engine escapes output by default. When a string flows from a Python view into a template variable, Django's autoescaping converts < , > , " , ' , and & into their HTML entity equivalents before rendering. The protection breaks the moment a string is marked safe before tainted data reaches the template.…