id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3828	request.path leads to confusion/errors inside templates and may open XSS attacks	David Danier <goliath.mailinglist@…>	nobody	"django.core.context_processors.request puts the request into the context of templates. As request offers dictionary-access to the provides data (combination of GET and POST) request.XXX is not unambiguous. You can override {{ request.path }} by adding '?path=...' to your URL for example. Other attributes (GET, POST, ..., method, get_full_path or is_secure) can be overwritten the same way, of course.

This has many problems attached:
 * security:
   request.path is not escaped everywhere, because it is pre-filtered by url-config
   request.is_secure might be used to display forms only when using a secure connection (WLAN-setting?)
 * errors when using GET, POST, ...:
   suddenly no dictionary there
 * confusion:
   different behavior

As request.REQUEST exists the dictionary-access to request could be removed, I think. But to keep API stable I attached a patch that wrapps the request inside templates and will only allow access to the attributes."		closed	Template system	dev		fixed	request template	dev@… mir@…	Accepted	1	0	0	0	0	0