| Issue 17: | thread title should be escaped | |
| 1 person starred this issue and may be notified of changes. | Back to list |
The threads title is unescaped in the forum_list.html, this could lead to a XSS attack. I'm aware that recent django versions use autoescape by default, but I guess it won't hurt to make this change. A similar vulnerability can be found in the breadcrumbs in thread.html where the title is also shown. Regards, Sean
Apr 14, 2008
Project Member
#1
rwpoul...@gmail.com
Status:
Fixed
|