#13980: The markdown template tag in django.contrib.markup should not be marked
as
safe output
--------------------------+-------------------------------------------------
Reporter: nomulous | Owner: nobody
Status: new | Milestone:
Component: Contrib apps | Version: 1.2
Keywords: | Stage: Unreviewed
Has_patch: 1 |
--------------------------+-------------------------------------------------
I'm not sure about the other markup options, but Markdown itself should
definitely not be marked as safe. You can easily render <script
type="text/javascript">alert('pwned')</script> with Markdown, and with
that is_safe = True there, the HTML will not be escaped.
--
Ticket URL: <http://code.djangoproject.com/ticket/13980>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
