Django

Code

Ticket #11413 (closed: fixed)

Opened 9 months ago

Last modified 9 months ago

Need to update the doc for firsof and cycle tag behaviour with autoescaping on

Reported by: krystal Assigned to: nobody
Milestone: 1.1 Component: Documentation
Version: SVN Keywords:
Cc: Triage Stage: Unreviewed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

When you use {% firstof var1 var2 %}, output is not magically escaped as filter is a tag, which can lead to XSS vulnerability.

The "core" issue has been reported on #10834 ; it seems like everyone is ok to say that something needs to be done, but it won't be immediate.

I think that the current documentation is missleading as we don't say explicitly that var won't be escaped, and I think it the doc should be corrected for 1.1.

Here is a patch, written with my poor english, to help people don't fall in the trap.

Attachments

doc-firstof-cycle-escaping.diff.2.txt (2.9 kB) - added by krystal on 07/02/09 10:17:37.
doc-firstof-cycle-escaping.diff.txt (2.9 kB) - added by krystal on 07/02/09 10:18:22.

Change History

07/02/09 10:17:37 changed by krystal

  • attachment doc-firstof-cycle-escaping.diff.2.txt added.

07/02/09 10:18:22 changed by krystal

  • attachment doc-firstof-cycle-escaping.diff.txt added.

07/02/09 10:19:49 changed by krystal

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

Oups, bad cut&paste, I mean ticket #10912

07/03/09 00:43:02 changed by Alex

Fixed in r11163

07/03/09 00:43:05 changed by Alex

  • status changed from new to closed.
  • resolution set to fixed.

Add/Change #11413 (Need to update the doc for firsof and cycle tag behaviour with autoescaping on)




Change Properties
Action