Changes between Initial Version and Version 1 of Ticket #23561


Ignore:
Timestamp:
09/26/14 16:50:14 (8 years ago)
Author:
djbug
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #23561 – Description

    initial v1  
    77If `var` is escaped and the class attribute is in quotes, how can JS execution happen?
    88
    9 The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 ?
     9The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?
Back to Top