Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Thanks Keryn Knight for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
author: Markus Holtermann <info@markusholtermann.eu> 2022-01-02 00:37:40 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 07:40:51 +0100
commit: 394517f07886495efcf79f95c7ee402a9437bd68 (patch)
tree: c7df4b0d112de18ab6caab569e1bde5f7915c218 /django/template
parent: 97a72744681d0993b50dee952cf32cdf9650ad9f (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py
index bc401853a4..99c09a483a 100644
--- a/django/template/defaulttags.py
+++ b/django/template/defaulttags.py
@@ -8,7 +8,7 @@ from itertools import cycle as itertools_cycle, groupby
 
 from django.conf import settings
 from django.utils import timezone
-from django.utils.html import conditional_escape, format_html
+from django.utils.html import conditional_escape, escape, format_html
 from django.utils.lorem_ipsum import paragraphs, words
 from django.utils.safestring import mark_safe
 
@@ -99,10 +99,13 @@ class CycleNode(Node):
 
 class DebugNode(Node):
     def render(self, context):
+        if not settings.DEBUG:
+            return ''
+
         from pprint import pformat
-        output = [pformat(val) for val in context]
+        output = [escape(pformat(val)) for val in context]
         output.append('\n\n')
-        output.append(pformat(sys.modules))
+        output.append(escape(pformat(sys.modules)))
         return ''.join(output)
author	Markus Holtermann <info@markusholtermann.eu>	2022-01-02 00:37:40 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 07:40:51 +0100
commit	394517f07886495efcf79f95c7ee402a9437bd68 (patch)
tree	c7df4b0d112de18ab6caab569e1bde5f7915c218 /django/template
parent	97a72744681d0993b50dee952cf32cdf9650ad9f (diff)