Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#27678 closed Cleanup/optimization (fixed)

Document that the template system isn't safe against untrusted template authors

Reported by: Tim Graham Owned by: Andrew Nester
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A few times (e.g. #12772) and in some security reports, the question has come up about whether or not the Django template language is safe against untrusted template authors. We should document that it is not, perhaps in docs/topics/templates.txt.

Change History (6)

comment:1 by Tim Graham, 7 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Andrew Nester, 7 years ago

Has patch: set
Owner: changed from nobody to Andrew Nester
Status: newassigned

I created PR for this ticket PR

comment:3 by Tim Graham, 7 years ago

Patch needs improvement: set

comment:4 by Andrew Nester, 7 years ago

Patch needs improvement: unset

I updated PR according changes requested.

comment:5 by Tim Graham <timograham@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In d2e40dd:

Fixed #27678 -- Warned that the template system isn't safe against untrusted authors.

comment:6 by Tim Graham <timograham@…>, 7 years ago

In d9f28876:

[1.11.x] Fixed #27678 -- Warned that the template system isn't safe against untrusted authors.

Backport of d2e40dd8c2031cd03700e72d87d455d5e974800c from master

Note: See TracTickets for help on using tickets.
Back to Top