mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Browse Source 
Thanks Keryn Knight for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
This commit is contained in:
Markus Holtermann
2022-01-02 00:37:40 +01:00
committed by Mariusz Felisiak
parent 97a7274468
commit 394517f078
7 changed files with 87 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tests/template_tests/tests.py
View File

@@ -1,6 +1,5 @@
import sys
from django.contrib.auth.models import Group
from django.template import (
Context, Engine, TemplateDoesNotExist, TemplateSyntaxError,
)
@@ -163,15 +162,6 @@ class TemplateTestMixin:
with self.assertRaises(NoReverseMatch):
t.render(Context())
def test_debug_tag_non_ascii(self):
"""
#23060 -- Test non-ASCII model representation in debug output.
"""
group = Group(name="清風")
c1 = Context({"objs": [group]})
t1 = self._engine().from_string('{% debug %}')
self.assertIn("清風", t1.render(c1))
def test_extends_generic_template(self):
"""
#24338 -- Allow extending django.template.backends.django.Template