escaping needed in default templates

Create issue
Issue #328 new
sean created an issue

I'm aware that django autoescapes by default now, but seeing that the last release dates from October 2007, I thought I'd report these issues. I guess many users will base their modifications on the default templates, so these vulnerabilities might exist in live sites.

  • the login form takes a next parameter, which is not escaped in the output, this might even be exploitable with newer django versions

  • the user account profile page fails to do any escaping, there are at least 8 vulnerable parameters

Regards, Sean

Comments (0)

  1. Log in to comment