#31466: A potential security issue in the Django template filter `escapejs`
---------------------------------+--------------------------------------
Reporter: Phithon | Owner: Phithon
Type: New feature | Status: assigned
Component: Template system | Version: 3.0
Severity: Normal | Resolution:
Keywords: escapejs | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Comment (by Claude Paroz):
I'm afraid this must be classified in programming errors, for which Django
cannot help. The `escapejs` filter has absolutely no way to detect if it
is used in commented code. In your example, it only receives the
`request.GET.q` content, not the code around it. I'm suggesting to `won't
fix` that issue, but I'll let a second triager confirm it.
Also please note that security issues should be privately sent to
secur...@djangoproject.com and never on public issue trackers.
https://docs.djangoproject.com/en/stable/internals/security/#reporting-
security-issues
--
Ticket URL: <https://code.djangoproject.com/ticket/31466#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.cf5e0ef0774f52ab6bb93d13b989f7d0%40djangoproject.com.
