Opened 4 years ago

Closed 4 years ago

#18634 closed Bug (fixed)

Escaping in the startproject command

Reported by: Marc Tamlyn Owned by: nobody
Component: Core (Management commands) Version: master
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The startproject command uses the template language, and seems to be html-escaping various things. For example aviraldg reported on IRC getting a SECRET_KEY with several instances of & in the middle of the string.

In this context it's harmless, but it may break other places where & or < are legitimate characters. We should probably render the whole template with escaping disabled.

Change History (3)

comment:1 Changed 4 years ago by Aymeric Augustin

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

comment:2 Changed 4 years ago by Marc Tamlyn

Has patch: set
Needs tests: set

comment:3 Changed 4 years ago by Florian Apolloner <florian@…>

Resolution: fixed
Status: newclosed

In [a875f612e0ae84c2084d0b6230ffafe32a9777c8]:

Fixed #18634 -- Don't escape variables in the context for startproject/startapp.

The & symbols which can come up in the secret key were
being escaped to &amp;.

Note: See TracTickets for help on using tickets.
Back to Top