Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#2148 closed defect (fixed)

[patch] ForeignKey fields not escaped correctly in django admin

Reported by: rushman@… Owned by: Adrian Holovaty
Component: contrib.admin Version: master
Severity: major Keywords:
Cc: Sergey, Kirillov, <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Steps to reproduce:

1. two models m1 and m2
2. m2 has foreign key to m1 and this key in list_display set
3. m1 __str__ returns '<script>alert(1)</script>'

when you will open list of m2 objects in django admin - you should get some alerts.

Since this is security hole i'm setting severity to 'major'.

Attachments (1)

admin_list.diff (569 bytes) - added by rushman@… 10 years ago.
patch

Download all attachments as: .zip

Change History (4)

Changed 10 years ago by rushman@…

Attachment: admin_list.diff added

patch

comment:1 Changed 10 years ago by rushman@…

Summary: ForeignKey fields not escaped correctly in django admin[patch] ForeignKey fields not escaped correctly in django admin

comment:2 Changed 10 years ago by Sergey Kirillov <rushman@…>

Cc: Sergey Kirillov <rushman@…> added

comment:3 Changed 10 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [3124]) Fixed #2148 -- Now escaping ForeignKey fields correctly in Django admin change-list pages. Thanks, rushman@…

Note: See TracTickets for help on using tickets.
Back to Top