id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
11377	Filters should apply safe-ness rules to filter arguments	Stephen Kelly	nobody	"This was reported to security@, but is being treated as a normal bug because 
it requires lots of prerequisite knowledge from an attacker.

A filter uses is_safe=True to note that if given safe input it will generate 
safe output. However, it seems that only applies to the 'value' argument to 
the filter, but not to the 'arg' argument.

The attached patch and test to the join filter may make this clear. Currently 
string literals and variables are rendered unescaped, so join05 and join07 
fail.

This could be exploitable if an attacker knew the join filter was used join 
arguments with another user-supplied argument. I have not looked extensively 
yet at other filters, but there could be others vulnerable to this.


"		closed	Template system	1.0		fixed	filters escaping arguments		Ready for checkin	1	0	0	0	0	0