Changes between Initial Version and Version 1 of Ticket #23561
- Timestamp:
- Sep 26, 2014, 11:50:14 AM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #23561 – Description
initial v1 7 7 If `var` is escaped and the class attribute is in quotes, how can JS execution happen? 8 8 9 The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 ?9 The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?