Backport [7521] to 0.91-bugfixes per security policy; announcement and security bugfix release will be forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/0.91-bugfixes@7529 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-05-14 04:07:42 +00:00 · 2008-05-14 04:07:42 +00:00 · 6e657e2c40
parent 2c03839d79
commit 6e657e2c40
1 changed files with 2 additions and 1 deletions
--- a/django/contrib/admin/views/decorators.py
+++ b/django/contrib/admin/views/decorators.py
@ -2,6 +2,7 @@ from django.core.extensions import DjangoContext, render_to_response
 from django.conf.settings import SECRET_KEY
 from django.models.auth import users
 from django.utils import httpwrappers
+from django.utils.html import escape
 from django.utils.translation import gettext_lazy
 import base64, datetime, md5
 import cPickle as pickle
@ -21,7 +22,7 @@ def _display_login_form(request, error_message=''):
        post_data = _encode_post_data({})
    return render_to_response('admin/login', {
        'title': _('Log in'),
-        'app_path': request.path,
+        'app_path': escape(request.path),
        'post_data': post_data,
        'error_message': error_message
    }, context_instance=DjangoContext(request))