id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33523	remove dangerous text from translated message about csrf error	Maxim Danilov	nobody	"in django\views\csrf.py function csrf_failure defined error dictionary ""c"" (error_name: error_description)

item with key 'no_referer3' has text:
'If you are using the <meta name=""referrer"" content=\""no-referrer\""> tag or including the “Referrer-Policy: no-referrer” header, please remove them. The CSRF protection requires the “Referer” header to do strict referer checking. If you’re concerned about privacy, use alternatives like <a rel=\""noreferrer\"" …> for links to third-party sites.'

If i put this message simply in <html><head><title> {{ c.no_referer3 }} </title>, it break browser work. 
The browsers takes <meta name=""referrer"" content=\""no-referrer\""> as normal meta. (chrome and Firefox)

This text ""from box"" has not escaped symbols and therefore it is dangerous. Of course, I can change it with translations."	Bug	closed	CSRF	4.0	Normal	invalid	csrf error message		Unreviewed	0	0	0	0	1	0