Cross-Site Scripting (XSS)

Description

Cross-Site Scripting occurs when user-supplied data is unsafely rendered back in an application. If the user-supplied data can be used to create new HTML or JavaScript, the user has control over the application behavior at the presentation layer.

Bug

The application renders back a user's username (user-supplied data) by leveraging a call to the safe method within the view. This means the content will not be HTML encoded and will be interpreted as valid JS or HTML code. 
<a data-toggle="dropdown" class="dropdown-toggle" href="#">
  <span class="username">{{ user.username|safe }}</span>
  <b class="caret"></b>
</a>

Solution

Remove the safe method within the backend/base.html and tutorials/base.html files. Consider setting X-XSS-Protection in your webserver configuration as well. This Header will configure clients' browser XSS protection to always block XSS attacks it detects. Django can automatically do this if you set SECURE_BROWSER_XSS_FILTER to True in the configuration. While this won't protect against all XSS attacks, it's still a useful addition to your security.

Hint

I noticed the application puts my username in the upper right hand corner once authenticated. Interesting.