Changes between Version 1 and Version 2 of Ticket #23561


Ignore:
Timestamp:
Sep 26, 2014, 11:51:23 AM (10 years ago)
Author:
djbug
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #23561 – Description

    v1 v2  
    77If `var` is escaped and the class attribute is in quotes, how can JS execution happen?
    88
    9 The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?
     9The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense (i.e. unquoted attributes are unsafe). However in v 1.7, is this a typo in the or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?
Back to Top