mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Corrected HTML-escaping behaviour of url template tag.

Browse Source 
Due to the URL encoding applied by the tag for all parameters that might be
partly controllable by an end-user, there are no XSS/security problems
caused by this bug, only invalid HTML.
This commit is contained in:
Luke Plant
2015-07-21 13:35:11 +01:00
parent 927b30a6ab
commit 8a5eadd140
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
django/template/defaulttags.py
View File

@@ -12,7 +12,7 @@ from django.conf import settings
from django.utils import six, timezone
from django.utils.deprecation import RemovedInDjango110Warning
from django.utils.encoding import force_text, smart_text
from django.utils.html import format_html
from django.utils.html import conditional_escape, format_html
from django.utils.lorem_ipsum import paragraphs, words
from django.utils.safestring import mark_safe
@@ -512,6 +512,8 @@ class URLNode(Node):
context[self.asvar] = url
return ''
else:
if context.autoescape:
url = conditional_escape(url)
return url