Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#2148 closed defect (fixed)

[patch] ForeignKey fields not escaped correctly in django admin

Reported by: rushman@… Owned by: Adrian Holovaty
Component: contrib.admin Version: dev
Severity: major Keywords:
Cc: Sergey, Kirillov, <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Steps to reproduce:

1. two models m1 and m2
2. m2 has foreign key to m1 and this key in list_display set
3. m1 __str__ returns '<script>alert(1)</script>'

when you will open list of m2 objects in django admin - you should get some alerts.

Since this is security hole i'm setting severity to 'major'.

Attachments (1)

admin_list.diff (569 bytes ) - added by rushman@… 18 years ago.
patch

Download all attachments as: .zip

Change History (4)

by rushman@…, 18 years ago

Attachment: admin_list.diff added

patch

comment:1 by rushman@…, 18 years ago

Summary: ForeignKey fields not escaped correctly in django admin[patch] ForeignKey fields not escaped correctly in django admin

comment:2 by Sergey Kirillov <rushman@…>, 18 years ago

Cc: Sergey Kirillov <rushman@…> added

comment:3 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [3124]) Fixed #2148 -- Now escaping ForeignKey fields correctly in Django admin change-list pages. Thanks, rushman@…

Note: See TracTickets for help on using tickets.
Back to Top