Review dynamic interpolation in Django format_html | Critiq Docs

#Metadata

Rule ID: py.security.django-format-html-unsafe
Severity: high
Confidence: 0.8
Languages: python
Presets: security, strict
Stability: stable
Applies to: block
Tags: django, python, rules-catalog, security, xss

#Why it matters

Unsafe interpolation patterns can still produce dangerous HTML when trusted and untrusted fragments are mixed incorrectly.

#Remediation

Keep templates static, ensure interpolated values are trusted for the target context, and avoid assembling HTML from user-controlled fragments.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.django-format-html-unsafe.rule.yaml.

Back to directory Open rule in repository