Code

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2152 closed defect (fixed)

[patch] Username is not escaped in django admin

Reported by: Sergey Kirillov <rushman@…> Owned by: adrian
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Sergey Kirillov <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If you set your user first name to '<script>alert(1)</script>' you will get JS alert for each django admin page.

Attachments (1)

base.diff (1.1 KB) - added by Sergey Kirillov <rushman@…> 8 years ago.
patch

Download all attachments as: .zip

Change History (2)

Changed 8 years ago by Sergey Kirillov <rushman@…>

patch

comment:1 Changed 8 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [3129].

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.