My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 17: thread title should be escaped
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Apr 2008


 
Reported by mcallist...@gmail.com, Apr 12, 2008
The threads title is unescaped in the forum_list.html, this could lead to a
XSS attack. I'm aware that recent django versions use autoescape by
default, but I guess it won't hurt to make this change.
A similar vulnerability can be found in the breadcrumbs in thread.html
where the title is also shown.

Regards, Sean
 
Apr 14, 2008
Project Member #1 rwpoul...@gmail.com
Fixed in latest SVN. Thank you!
Status: Fixed

Powered by Google Project Hosting