Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#2152 closed defect (fixed)

[patch] Username is not escaped in django admin

Reported by: Sergey Kirillov <rushman@…> Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Sergey Kirillov <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If you set your user first name to '<script>alert(1)</script>' you will get JS alert for each django admin page.

Attachments (1)

base.diff (1.1 KB ) - added by Sergey Kirillov <rushman@…> 18 years ago.
patch

Download all attachments as: .zip

Change History (2)

by Sergey Kirillov <rushman@…>, 18 years ago

Attachment: base.diff added

patch

comment:1 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

Fixed in [3129].

Note: See TracTickets for help on using tickets.
Back to Top