Re: [Django] #34770: Default autoescape off in password_reset_email.html

Fri, 11 Aug 2023 06:39:50 -0700 

#34770: Default autoescape off in password_reset_email.html
------------------------------+----------------------------------------
     Reporter:  Yi Ming Yung  |                    Owner:  Yi Ming Yung
         Type:  Bug           |                   Status:  closed
    Component:  contrib.auth  |                  Version:  4.2
     Severity:  Normal        |               Resolution:  needsinfo
     Keywords:                |             Triage Stage:  Unreviewed
    Has patch:  1             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+----------------------------------------
Changes (by Natalia Bidart):

 * keywords:  autoescape password_reset template =>
 * status:  assigned => closed
 * resolution:   => needsinfo
 * stage:  Ready for checkin => Unreviewed


Comment:

 Hello Yi Ming Yung,

 The template you mentioned is used by the internal system and all the
 variables sent in the context are
 
[https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/auth/forms.py#L356
 under the control of the django auth app], and not by the user. The only
 external input is the email address to use to send the password reset
 email, and that email is not passed to the template, and also is ignored
 if it does not match a user in the system.

 If you have managed to indeed generate an html injection, please do not
 post details in this ticket and
 [https://docs.djangoproject.com/en/dev/internals/security/ send those to
 the security email instead].

 Also, please read the
 [https://docs.djangoproject.com/en/4.2/internals/contributing/triaging-
 tickets/#ready-for-checkin guidelines for ticket triage stages], the
 person submitting a patch should not mark their own tickets as `Ready for
 checkin`.

 Thank you!

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34770#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070189e4d30cb0-6b9a8637-4e64-4bc9-90fb-5b11605de21f-000000%40eu-central-1.amazonses.com.

Reply via email to