Django

Code

Ticket #2148 (closed: fixed)

Opened 2 years ago

Last modified 2 years ago

[patch] ForeignKey fields not escaped correctly in django admin

Reported by: rushman@mail.ru Assigned to: adrian
Milestone: Component: django.contrib.admin
Version: SVN Keywords:
Cc: Sergey, Kirillov, <rushman@mail.ru> Triage Stage: Unreviewed
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

Steps to reproduce: 

1. two models m1 and m2
2. m2 has foreign key to m1 and this key in list_display set
3. m1 __str__ returns '<script>alert(1)</script>'

when you will open list of m2 objects in django admin - you should get some alerts.

Since this is security hole i'm setting severity to 'major'.

Attachments

admin_list.diff (0.6 kB) - added by rushman@mail.ru on 06/13/06 17:56:16.
patch

Change History

06/13/06 17:56:16 changed by rushman@mail.ru

  • attachment admin_list.diff added.

patch

06/13/06 17:56:53 changed by rushman@mail.ru

  • summary changed from ForeignKey fields not escaped correctly in django admin to [patch] ForeignKey fields not escaped correctly in django admin.

06/13/06 18:09:01 changed by Sergey Kirillov <rushman@mail.ru>

  • cc set to Sergey, Kirillov, <rushman@mail.ru>.

06/13/06 18:18:16 changed by adrian

  • status changed from new to closed.
  • resolution set to fixed.

(In [3124]) Fixed #2148 -- Now escaping ForeignKey? fields correctly in Django admin change-list pages. Thanks, rushman@mail.ru

Add/Change #2148 ([patch] ForeignKey fields not escaped correctly in django admin)




Change Properties
Action