id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34770	Default autoescape off in password_reset_email.html	Yi Ming Yung	Yi Ming Yung	"In the source code, the contents of password_reset_email.html has {% autoescape off %} by default. This causes none of the variables being put into the template to be escaped properly. This can lead to some simple html injection. It's not a big security issue but it seems inconsistent as this is the only template in the source code to do so. 

I am also not sure why this would be desired in an email template or at all by default for that matter. If someone knows or has a valid usecase for this, please let me know.

For reference:
https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/admin/templates/registration/password_reset_email.html#L1C11-L1C11"	Bug	closed	contrib.auth	4.2	Normal	invalid			Unreviewed	1	0	0	0	0	0