summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRussell Keith-Magee <russell@keith-magee.com>2008-05-10 13:19:19 +0000
committerRussell Keith-Magee <russell@keith-magee.com>2008-05-10 13:19:19 +0000
commit41635d2176f7a950498b020f335232ad9f734279 (patch)
treea69125ee40445f99281ef18623a0ca885cb8d6c2
parent4880ba3ce1860f84f2ce602566654c34924b4a73 (diff)
Removed mark_safe from the saved request path on the admin login form. This prevents a potential XSS attack. Formal announcement will be forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/admin/views/decorators.py2
1 files changed, 1 insertions, 1 deletions
diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py
index b9fd9ab900..cedb1f9cfd 100644
--- a/django/contrib/admin/views/decorators.py
+++ b/django/contrib/admin/views/decorators.py
@@ -29,7 +29,7 @@ def _display_login_form(request, error_message=''):
post_data = _encode_post_data({})
return render_to_response('admin/login.html', {
'title': _('Log in'),
- 'app_path': mark_safe(request.path),
+ 'app_path': request.path,
'post_data': post_data,
'error_message': error_message
}, context_instance=template.RequestContext(request))