id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37170	No-argument form of @sensitive_post_parameters() doesn't cleanse request.POST	Jacob Walls	Jacob Walls	"The Security Team closed an informative report about the no-argument form of `@sensitive_post_parameters()` not cleansing request.POST, as you can see from adjusting this existing test:

{{{#!diff
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
index 1986341177..835fe22111 100644
--- a/tests/view_tests/views.py
+++ b/tests/view_tests/views.py
@@ -398,7 +398,7 @@ async def async_sensitive_method_view_nested(request):
 
 
 @sensitive_variables(""sauce"")
-@sensitive_post_parameters(""bacon-key"", ""sausage-key"")
+@sensitive_post_parameters()
 def multivalue_dict_key_error(request):
     cooked_eggs = """".join([""s"", ""c"", ""r"", ""a"", ""m"", ""b"", ""l"", ""e"", ""d""])  # NOQA
     sauce = """".join(  # NOQA
}}}
{{{#!py
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the following response
}}}


... but the exception reporter filter is not in-scope for security issues, as filtering is done on a [https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-error-reports best-efforts basis].

Looks like an oversight in #21098.

Thanks LocalHost for the report."	Bug	assigned	Error reporting	dev	Normal		not-security		Accepted	0	0	0	0	0	0