id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13177	Unescaped user input in the Admin interface	Fletcher Tomalty	nobody	"Steps to reproduce:
1. Go into the Django User Admin interface
2. Open a given user
3. Enter {{{ <script>alert('asdf')</script> }}} into the First Name field
4. Press ""Save and Continue Editing""

Basically, a {% firstof %} tag in the Admin templates isn't escaping the user's First name. This can be fixed by putting simple {% filter force_escape %} around it.

The bug can be found in /django/contrib/admin/templates/admin/base.html, a modifired version of which is attached."		closed	contrib.admin	1.1		fixed			Accepted	1	0	1	0	0	0