[1.9.x] Fixed XSS in admin's add/change related popup.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2016-07-06 15:41:06 -0400
committer: Tim Graham <timograham@gmail.com> 2016-07-15 09:23:32 -0400
commit: d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 (patch)
tree: caffc2e8db737972ec4d8d48961f506e43090336 /django/views/debug.py
parent: ab2f5f764a2f6db97e23cccd5c4f5abbb43d1caf (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/django/views/debug.py b/django/views/debug.py
index 7cff3eface..2629d345eb 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -631,13 +631,13 @@ TECHNICAL_500_TEMPLATE = ("""
       var s = link.getElementsByTagName('span')[0];
       var uarr = String.fromCharCode(0x25b6);
       var darr = String.fromCharCode(0x25bc);
-      s.innerHTML = s.innerHTML == uarr ? darr : uarr;
+      s.textContent = s.textContent == uarr ? darr : uarr;
       return false;
     }
     function switchPastebinFriendly(link) {
       s1 = "Switch to copy-and-paste view";
       s2 = "Switch back to interactive view";
-      link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
+      link.textContent = link.textContent.trim() == s1 ? s2: s1;
       toggle('browserTraceback', 'pastebinTraceback');
       return false;
     }
author	Tim Graham <timograham@gmail.com>	2016-07-06 15:41:06 -0400
committer	Tim Graham <timograham@gmail.com>	2016-07-15 09:23:32 -0400
commit	d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 (patch)
tree	caffc2e8db737972ec4d8d48961f506e43090336 /django/views/debug.py
parent	ab2f5f764a2f6db97e23cccd5c4f5abbb43d1caf (diff)