Opened 3 years ago

Closed 3 years ago

#18634 closed Bug (fixed)

Escaping in the startproject command

Reported by: mjtamlyn Owned by: nobody
Component: Core (Management commands) Version: master
Severity: Normal Keywords:
Cc: apollo13 Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


The startproject command uses the template language, and seems to be html-escaping various things. For example aviraldg reported on IRC getting a SECRET_KEY with several instances of & in the middle of the string.

In this context it's harmless, but it may break other places where & or < are legitimate characters. We should probably render the whole template with escaping disabled.

Change History (3)

comment:1 Changed 3 years ago by aaugustin

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 3 years ago by mjtamlyn

  • Has patch set
  • Needs tests set

comment:3 Changed 3 years ago by Florian Apolloner <florian@…>

  • Resolution set to fixed
  • Status changed from new to closed

In [a875f612e0ae84c2084d0b6230ffafe32a9777c8]:

Fixed #18634 -- Don't escape variables in the context for startproject/startapp.

The & symbols which can come up in the secret key were
being escaped to &amp;.

Note: See TracTickets for help on using tickets.
Back to Top