mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-25 06:04:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

[4.0.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Browse source 
Thanks Keryn Knight for the report.

Backport of 394517f078 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
This commit is contained in:
Markus Holtermann 2022-01-02 00:37:40 +01:00 committed by Mariusz Felisiak
parent 6928227dff
commit 0142204606
7 changed files with 87 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/template_tests/tests.py
View file

@ -1,6 +1,5 @@
import sys
from django.contrib.auth.models import Group
from django.template import (
Context, Engine, TemplateDoesNotExist, TemplateSyntaxError,
)
@ -163,15 +162,6 @@ class TemplateTestMixin:
with self.assertRaises(NoReverseMatch):
t.render(Context())
def test_debug_tag_non_ascii(self):
"""
#23060 -- Test non-ASCII model representation in debug output.
"""
group = Group(name="清風")
c1 = Context({"objs": [group]})
t1 = self._engine().from_string('{% debug %}')
self.assertIn("清風", t1.render(c1))
def test_extends_generic_template(self):
"""
#24338 -- Allow extending django.template.backends.django.Template