#5880: Cross-site(?) scripting when adding text via the "foreign key" popup
window
-----------------------------------+----------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: nobody
Status: new | Component: Admin interface
Version: SVN | Resolution:
Keywords: | Stage: Unreviewed
Has_patch: 0 | Needs_docs: 0
Needs_tests: 0 | Needs_better_patch: 0
-----------------------------------+----------------------------------------
Changes (by gwilson):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Description of patch:
{{{
Escaped strings passed to the response that closes the popup window to
prevent XSS.
Added quotes around the second argument passed to
`opener.dismissAddAnotherPopup` to make the function also work when a text
field is used as the primary key.
Unescape the strings passed in to the `dismissAddAnotherPopup` javascript
function so that the new option displays correctly in the dropdown box.
}}}
Thoughts?
--
Ticket URL: <http://code.djangoproject.com/ticket/5880#comment:1>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
