Hi.
It seems the urlize filter marks its output as safe, but the
django.utils.html.urlize function on which it depends is only escaping
the content of the "a" element (i.e. the text between <a> and </a>).
Any other text passed to the filter is not escaped. Also the url
inserted in the href attribute is not escaped or url encoded.
A couple of examples:
--
blurb = "<script>alert('xss')</script>"
{{ blurb }} is ok, it gets autoescaped
{{ blurb|urlize }} does not get escaped
--
--
blurb = "http://example.com/\";><script>alert('xss')</script>/"
{{ blurb|urlize }} is not escaped or url encoded within the href
attribute
--
As a workaround I tried:
{% autoescape off %}{{ blurb|escape|urlize }}{% endautoescape %}
But it doesn't help. I tested using revision 6678.
Thanks.
Scott
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
