Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Thanks Keryn Knight for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
author: Markus Holtermann <info@markusholtermann.eu> 2022-01-02 00:37:40 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 07:40:51 +0100
commit: 394517f07886495efcf79f95c7ee402a9437bd68 (patch)
tree: c7df4b0d112de18ab6caab569e1bde5f7915c218 /docs/releases/2.2.27.txt
parent: 97a72744681d0993b50dee952cf32cdf9650ad9f (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
index a35082fa33..b1712c649c 100644
--- a/docs/releases/2.2.27.txt
+++ b/docs/releases/2.2.27.txt
@@ -6,4 +6,12 @@ Django 2.2.27 release notes
 
 Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
 
-...
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
author	Markus Holtermann <info@markusholtermann.eu>	2022-01-02 00:37:40 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 07:40:51 +0100
commit	394517f07886495efcf79f95c7ee402a9437bd68 (patch)
tree	c7df4b0d112de18ab6caab569e1bde5f7915c218 /docs/releases/2.2.27.txt
parent	97a72744681d0993b50dee952cf32cdf9650ad9f (diff)