Opened 17 years ago
Closed 17 years ago
#5984 closed (duplicate)
debug view does not escape variable values
| Reported by: | Michael Radziej | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | dev |
| Severity: | Keywords: | autoescape debug | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In the debug view, variable values (and names) are not escaped.
There's an {% autoescape off %} in django/views/debug.py, line 415. I don't understand the reason for it (and then using |escape afterwards, but not line 449 to display the variables). Changing this to {% autoescape on %} fixes the bug.
Note:
See TracTickets
for help on using tickets.
Duplicate of #5974.