Just confirming for: Django version 0.97-newforms-admin-SVN-7233 does not produce an alert box. In fact the form action is escaped here, too.
peschler On May 8, 12:26 am, "Karen Tracey" <[EMAIL PROTECTED]> wrote: > On Wed, May 7, 2008 at 3:41 PM, James Bennett <[EMAIL PROTECTED]> wrote: > > > On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> > > wrote: > > > > It does work, make sure you're not logged in. > > > > $ lynx -source -dump > >http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/scri... > > > | grep alert > > > <form action="/admin/"><script>alert(3939)</script>/" method="post" > > > id="login-form"> > > > OK, so what's happening is that the admin is assuming that if you're > > not logged in, the current URL should be used as the URL to submit > > login information to. Which means it drops the request path into the > > form's "action" attribute and, since there are valid things for URLs > > that'd be incorrectly escaped if we let the autoescaper get at them, > > it's marked "safe" and so can contain HTML. > > > Since there is a genuine XSS threat here, it needs to be fixed in the > > current admin and not simply punted to nfa. Optimal solution is to > > just point the thing at a genuinely consistent login URL and redirect > > back to where they were trying to go once the user's authenticated > > (preferably keeping the URL firmly in the address bar the whole time, > > like we already do with the "next" param for logging in everywhere > > else). > > Trying this on newforms-admin (circa r7500) does not produce an alert box. > In fact the form action is escaped: > > <form action="/admin/"><script>alert(3939)</script>/" > method="post" id="login-form"> > > But from the first paragraph above it sounds like that's not the correct > behavior either? > > Just trying to understand if newforms-admin has a different problem.... > > Karen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
