request-data-fileresponse
reflected-data-httpresponse
mass-assignment
tainted-url-host
raw-html-format
django.shortcuts.render
) which will safely render HTML instead.tainted-sql-string
csv-writer-injection
csv
module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv
is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv
instead of csv
to safely generate CSVs.request-data-write
reflected-data-httpresponsebadrequest
open-redirect