docs(headless): Add note on input sanitization

pennersr · Nov 8, 2024 · da14924 · da14924
1 parent 7f3ff3e
commit da14924
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/docs/headless/openapi-specification/description.md b/docs/headless/openapi-specification/description.md
@@ -188,3 +188,25 @@ While authenticated, re-authentication may be required to safeguard the account
 are performed. The re-authentication flows are the following:
 - Re-authenticate using password (`reauthenticate`).
 - Re-authenticate using a 2FA authenticator (TOTP, recovery codes, or WebAuthn) (`mfa_reauthenticate`).
+
+# Security Considerations
+
+## Input Sanitization
+
+The Django framework, by design, does *not* perform input sanitization. For
+example, there is nothing preventing end users from signing up using `<script>`
+or `Robert'); DROP TABLE students` as a first name. Django relies on its
+template language for proper escaping of such values and mitigate any XSS
+attacks.
+
+As a result, any `allauth.headless` client **must** have proper XSS protection
+in place as well. Be prepared that, for example, the WebAuthn endpoints could
+return authenticator names as follows:
+
+    {
+      "name": "<script>alert(1)</script>",
+      "credential": {
+        "type": "public-key",
+        ...
+      }
+    }