Default autoescape off in password_reset_email.html

[Yi Ming Yung]

In the source code, the contents of password_reset_email.html has {% autoescape off %} by default. This causes none of the variables being put into the template to be escaped properly. This can lead to some simple html injection. It's not a big security issue but it seems inconsistent as this is the only template in the source code to do so.

I am also not sure why this would be desired in an email template or at all by default for that matter. If someone knows or has a valid usecase for this, please let me know.

For reference:
​https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/admin/templates/registration/password_reset_email.html#L1C11-L1C11

[Natalia Bidart]

Hello Yi Ming Yung,

The template you mentioned is used by the internal system and all the variables sent in the context are ​under the control of the django auth app, and not by the user. The only external input is the email address to use to send the password reset email, and that email is not passed to the template, and also is ignored if it does not match a user in the system.

If you have managed to indeed generate an html injection, please do not post details in this ticket and ​send those to the security email instead.

Also, please read the ​guidelines for ticket triage stages, the person submitting a patch should not mark their own tickets as Ready for checkin.

Thank you!

[Natalia Bidart]

Changing status to invalid after a email threan in the security mailing list.