Avoid Django mark_safe for dynamic content | Critiq Docs

#Metadata

Rule ID: py.security.django-mark-safe
Severity: high
Confidence: 0.88
Languages: python
Presets: security, strict
Stability: stable
Applies to: block
Tags: django, python, rules-catalog, security, xss

#Why it matters

`mark_safe` bypasses Django escaping and can introduce cross-site scripting when values are not strictly trusted.

#Remediation

Prefer Django auto-escaping or sanitize untrusted values before rendering instead of forcing trust with `mark_safe`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.django-mark-safe.rule.yaml.

Back to directory Open rule in repository