Code

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#13177 closed (fixed)

Unescaped user input in the Admin interface

Reported by: nomulous Owned by: nobody
Component: contrib.admin Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:

Description

Steps to reproduce:

  1. Go into the Django User Admin interface
  2. Open a given user
  3. Enter <script>alert('asdf')</script> into the First Name field
  4. Press "Save and Continue Editing"

Basically, a {% firstof %} tag in the Admin templates isn't escaping the user's First name. This can be fixed by putting simple {% filter force_escape %} around it.

The bug can be found in /django/contrib/admin/templates/admin/base.html, a modifired version of which is attached.

Attachments (1)

base.html (3.3 KB) - added by nomulous 4 years ago.
The patched admin template file

Download all attachments as: .zip

Change History (6)

Changed 4 years ago by nomulous

The patched admin template file

comment:1 Changed 4 years ago by nomulous

  • Has patch unset
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Also, ticket #10912 deals with escaping of template tags... should be an overall fix.

comment:2 Changed 4 years ago by nomulous

  • Has patch set
  • Needs tests set

comment:3 Changed 4 years ago by russellm

  • milestone set to 1.2
  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 4 years ago by russellm

  • Resolution set to fixed
  • Status changed from new to closed

(In [12841]) [1.1.X] Fixed #13177 -- Corrected usage of firstof in admin templates. Thanks to nomulous for the report and patch.

Backport of r12840 from trunk.

comment:5 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.