On Wed, May 7, 2008 at 3:41 PM, James Bennett <[EMAIL PROTECTED]> wrote:
> > On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> > wrote: > > > > It does work, make sure you're not logged in. > > > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > > | grep alert > > <form action="/admin/"><script>alert(3939)</script>/" method="post" > > id="login-form"> > > OK, so what's happening is that the admin is assuming that if you're > not logged in, the current URL should be used as the URL to submit > login information to. Which means it drops the request path into the > form's "action" attribute and, since there are valid things for URLs > that'd be incorrectly escaped if we let the autoescaper get at them, > it's marked "safe" and so can contain HTML. > > Since there is a genuine XSS threat here, it needs to be fixed in the > current admin and not simply punted to nfa. Optimal solution is to > just point the thing at a genuinely consistent login URL and redirect > back to where they were trying to go once the user's authenticated > (preferably keeping the URL firmly in the address bar the whole time, > like we already do with the "next" param for logging in everywhere > else). > Trying this on newforms-admin (circa r7500) does not produce an alert box. In fact the form action is escaped: <form action="/admin/"><script>alert(3939)</script>/" method="post" id="login-form"> But from the first paragraph above it sounds like that's not the correct behavior either? Just trying to understand if newforms-admin has a different problem.... Karen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
