[1.10.x] Fixed XSS in admin's add/change related popup.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2016-07-06 15:41:06 -0400
committer: Tim Graham <timograham@gmail.com> 2016-07-18 11:17:19 -0400
commit: 6fa150b2f8b601668083042324c4add534143cb1 (patch)
tree: 5825f03143b4d7b6b18e17ae9eb93b9628754932 /django/views/debug.py
parent: a03ac61332fe356a60e25d5ecd7d4cd7ee07c345 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/django/views/debug.py b/django/views/debug.py
index 56329325d3..eac0a77605 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -636,13 +636,13 @@ TECHNICAL_500_TEMPLATE = ("""
       var s = link.getElementsByTagName('span')[0];
       var uarr = String.fromCharCode(0x25b6);
       var darr = String.fromCharCode(0x25bc);
-      s.innerHTML = s.innerHTML == uarr ? darr : uarr;
+      s.textContent = s.textContent == uarr ? darr : uarr;
       return false;
     }
     function switchPastebinFriendly(link) {
       s1 = "Switch to copy-and-paste view";
       s2 = "Switch back to interactive view";
-      link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
+      link.textContent = link.textContent.trim() == s1 ? s2: s1;
       toggle('browserTraceback', 'pastebinTraceback');
       return false;
     }
author	Tim Graham <timograham@gmail.com>	2016-07-06 15:41:06 -0400
committer	Tim Graham <timograham@gmail.com>	2016-07-18 11:17:19 -0400
commit	6fa150b2f8b601668083042324c4add534143cb1 (patch)
tree	5825f03143b4d7b6b18e17ae9eb93b9628754932 /django/views/debug.py
parent	a03ac61332fe356a60e25d5ecd7d4cd7ee07c345 (diff)