#13177 closed (fixed)
Unescaped user input in the Admin interface
| Reported by: | Fletcher Tomalty | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.1 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Go into the Django User Admin interface
- Open a given user
- Enter
<script>alert('asdf')</script>into the First Name field - Press "Save and Continue Editing"
Basically, a {% firstof %} tag in the Admin templates isn't escaping the user's First name. This can be fixed by putting simple {% filter force_escape %} around it.
The bug can be found in /django/contrib/admin/templates/admin/base.html, a modifired version of which is attached.
Attachments (1)
Change History (6)
by , 14 years ago
comment:1 by , 14 years ago
| Has patch: | unset |
|---|
Also, ticket #10912 deals with escaping of template tags... should be an overall fix.
comment:2 by , 14 years ago
| Has patch: | set |
|---|---|
| Needs tests: | set |
comment:3 by , 14 years ago
| milestone: | → 1.2 |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:4 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The patched admin template file