From 41635d2176f7a950498b020f335232ad9f734279 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sat, 10 May 2008 13:19:19 +0000 Subject: [PATCH] Removed mark_safe from the saved request path on the admin login form. This prevents a potential XSS attack. Formal announcement will be forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7521 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/admin/views/decorators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py index b9fd9ab900..cedb1f9cfd 100644 --- a/django/contrib/admin/views/decorators.py +++ b/django/contrib/admin/views/decorators.py @@ -29,7 +29,7 @@ def _display_login_form(request, error_message=''): post_data = _encode_post_data({}) return render_to_response('admin/login.html', { 'title': _('Log in'), - 'app_path': mark_safe(request.path), + 'app_path': request.path, 'post_data': post_data, 'error_message': error_message }, context_instance=template.RequestContext(request))