id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
2290	HTML not escaped in Admin messages	anonymous	Adrian Holovaty	"Messages in the Admin interface (e.g. ""The --- was changed successfully"") are not HTML escaped.  Line 33 of contrib\admin\templates\admin\base.html should be as follows:

{{{
<ul class=""messagelist"">{% for message in messages %}<li>{{ message|escape }}</li>{% endfor %}</ul>
}}}

Sean :)"	defect	closed	contrib.admin		normal	fixed			Unreviewed	0	0	0	0	0	0