Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2148 closed defect (fixed)

[patch] ForeignKey fields not escaped correctly in django admin

Reported by: rushman@… Owned by: adrian
Component: contrib.admin Version: master
Severity: major Keywords:
Cc: Sergey, Kirillov, <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Steps to reproduce:

1. two models m1 and m2
2. m2 has foreign key to m1 and this key in list_display set
3. m1 __str__ returns '<script>alert(1)</script>'

when you will open list of m2 objects in django admin - you should get some alerts.

Since this is security hole i'm setting severity to 'major'.

Attachments (1)

admin_list.diff (569 bytes) - added by rushman@… 9 years ago.
patch

Download all attachments as: .zip

Change History (4)

Changed 9 years ago by rushman@…

patch

comment:1 Changed 9 years ago by rushman@…

  • Summary changed from ForeignKey fields not escaped correctly in django admin to [patch] ForeignKey fields not escaped correctly in django admin

comment:2 Changed 9 years ago by Sergey Kirillov <rushman@…>

  • Cc Sergey Kirillov <rushman@…> added

comment:3 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [3124]) Fixed #2148 -- Now escaping ForeignKey fields correctly in Django admin change-list pages. Thanks, rushman@…

Note: See TracTickets for help on using tickets.
Back to Top