diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2008-05-10 13:19:19 +0000 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2008-05-10 13:19:19 +0000 |
| commit | 41635d2176f7a950498b020f335232ad9f734279 (patch) | |
| tree | a69125ee40445f99281ef18623a0ca885cb8d6c2 | |
| parent | 4880ba3ce1860f84f2ce602566654c34924b4a73 (diff) | |
Removed mark_safe from the saved request path on the admin login form. This prevents a potential XSS attack. Formal announcement will be forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | django/contrib/admin/views/decorators.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py index b9fd9ab900..cedb1f9cfd 100644 --- a/django/contrib/admin/views/decorators.py +++ b/django/contrib/admin/views/decorators.py @@ -29,7 +29,7 @@ def _display_login_form(request, error_message=''): post_data = _encode_post_data({}) return render_to_response('admin/login.html', { 'title': _('Log in'), - 'app_path': mark_safe(request.path), + 'app_path': request.path, 'post_data': post_data, 'error_message': error_message }, context_instance=template.RequestContext(request)) |
