mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-30 17:16:10 +00:00
Code Issues 32 Releases Wiki Activity

Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
James Bennett
2010-09-09 00:34:54 +00:00
parent ef4b29a001
commit 9e3b327aca
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
django/template/defaulttags.py
View File

@@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG
from django.template import get_library, Library, InvalidTemplateLibrary
from django.template.smartif import IfParser, Literal
from django.conf import settings
from django.utils.html import escape
from django.utils.encoding import smart_str, smart_unicode
from django.utils.safestring import mark_safe
@@ -42,7 +43,7 @@ class CsrfTokenNode(Node):
if csrf_token == 'NOTPROVIDED':
return mark_safe(u"")
else:
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
else:
# It's very probable that the token is missing because of
# misconfiguration, so we raise a warning