Code

Opened 6 years ago

Closed 6 years ago

#5984 closed (duplicate)

debug view does not escape variable values

Reported by: mir Owned by: nobody
Component: Template system Version: master
Severity: Keywords: autoescape debug
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In the debug view, variable values (and names) are not escaped.

There's an {% autoescape off %} in django/views/debug.py, line 415. I don't understand the reason for it (and then using |escape afterwards, but not line 449 to display the variables). Changing this to {% autoescape on %} fixes the bug.

Attachments (0)

Change History (1)

comment:1 Changed 6 years ago by mattmcc

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5974.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.