Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2152 closed defect (fixed)

[patch] Username is not escaped in django admin

Reported by: Sergey Kirillov <rushman@…> Owned by: adrian
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Sergey Kirillov <rushman@…> Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


If you set your user first name to '<script>alert(1)</script>' you will get JS alert for each django admin page.

Attachments (1)

base.diff (1.1 KB) - added by Sergey Kirillov <rushman@…> 9 years ago.

Download all attachments as: .zip

Change History (2)

Changed 9 years ago by Sergey Kirillov <rushman@…>


comment:1 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [3129].

Note: See TracTickets for help on using tickets.
Back to Top