mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Browse Source 
Thanks Keryn Knight for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
This commit is contained in:
Markus Holtermann
2022-01-02 00:37:40 +01:00
committed by Mariusz Felisiak
parent 97a7274468
commit 394517f078
7 changed files with 87 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/releases/4.0.2.txt
View File

@@ -8,6 +8,16 @@ Django 4.0.2 fixes two security issues with severity "medium" and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Bugfixes
========