Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#2152 closed defect (fixed)

[patch] Username is not escaped in django admin

Reported by: Sergey Kirillov <rushman@…> Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Sergey Kirillov <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If you set your user first name to '<script>alert(1)</script>' you will get JS alert for each django admin page.

Attachments (1)

base.diff (1.1 KB) - added by Sergey Kirillov <rushman@…> 14 years ago.

Download all attachments as: .zip

Change History (2)

Changed 14 years ago by Sergey Kirillov <rushman@…>

Attachment: base.diff added


comment:1 Changed 14 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

Fixed in [3129].

Note: See TracTickets for help on using tickets.
Back to Top