Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#24464 closed Cleanup/optimization (fixed)

Update default of template filters autoescape parameter to True

Reported by: Sasha Romijn Owned by: nobody
Component: Template system Version: master
Severity: Normal Keywords:
Cc: Markus Holtermann Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In order to avoid relying on users reading the documentation added in #21722 about the requirement to call built-in template filters with autoescape=True if escaping is needed, it seems useful to update the default to escape by default.

Change History (5)

comment:1 Changed 5 years ago by Markus Holtermann

Cc: Markus Holtermann added

comment:2 Changed 5 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In fa350e2f303572ee8f9a8302dda45a12288d3d95:

Fixed #24464 -- Made built-in HTML template filter functions escape their input by default.

This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.

Thanks Markus Holtermann for help with tests and docs.

comment:3 Changed 5 years ago by Tim Graham <timograham@…>

In d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059:

[1.8.x] Fixed #24464 -- Made built-in HTML template filter functions escape their input by default.

This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.

Thanks Markus Holtermann for help with tests and docs.

Backport of fa350e2f303572ee8f9a8302dda45a12288d3d95 from master

comment:4 Changed 5 years ago by Tim Graham <timograham@…>

In 35d68e8e766217924375e1a91533fee50159291c:

[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.

comment:5 Changed 5 years ago by Tim Graham <timograham@…>

In 82c9169077a066995e3b00aac551bf1c8a89d98a:

Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.

Note: See TracTickets for help on using tickets.
Back to Top