[4.0.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Thanks Keryn Knight for the report.

Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>

1 files changed, 46 insertions, 0 deletions

diff --git a/tests/template_tests/syntax_tests/test_debug.py b/tests/template_tests/syntax_tests/test_debug.py
new file mode 100644
index 0000000000..2f527b44ae
--- /dev/null
+++ b/tests/template_tests/syntax_tests/test_debug.py
@@ -0,0 +1,46 @@
+from django.contrib.auth.models import Group
+from django.test import SimpleTestCase, override_settings
+
+from ..utils import setup
+
+
+@override_settings(DEBUG=True)
+class DebugTests(SimpleTestCase):
+
+    @override_settings(DEBUG=False)
+    @setup({'non_debug': '{% debug %}'})
+    def test_non_debug(self):
+        output = self.engine.render_to_string('non_debug', {})
+        self.assertEqual(output, '')
+
+    @setup({'modules': '{% debug %}'})
+    def test_modules(self):
+        output = self.engine.render_to_string('modules', {})
+        self.assertIn(
+            ''django': <module 'django' ',
+            output,
+        )
+
+    @setup({'plain': '{% debug %}'})
+    def test_plain(self):
+        output = self.engine.render_to_string('plain', {'a': 1})
+        self.assertTrue(output.startswith(
+            '{'a': 1}'
+            '{'False': False, 'None': None, '
+            ''True': True}\n\n{'
+        ))
+
+    @setup({'non_ascii': '{% debug %}'})
+    def test_non_ascii(self):
+        group = Group(name="清風")
+        output = self.engine.render_to_string('non_ascii', {'group': group})
+        self.assertTrue(output.startswith(
+            '{'group': <Group: 清風>}'
+        ))
+
+    @setup({'script': '{% debug %}'})
+    def test_script(self):
+        output = self.engine.render_to_string('script', {'frag': '<script>'})
+        self.assertTrue(output.startswith(
+            '{&#x27;frag&#x27;: &#x27;&lt;script&gt;&#x27;}'
+        ))