Fixed #33461 -- Escaped template errors in the technical 500 debug page.

author: Keryn Knight <keryn@kerynknight.com> 2022-01-26 15:09:08 +0000
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-01-28 07:07:12 +0100
commit: c5c7a15b09368a58340d3a65ba9d1f1441e92dc8 (patch)
tree: 2d8cbe6e5bc01935b8132ad9b8152cd07527e398 /tests/view_tests/views.py
parent: 3a9b8b25d48c5768633e73edc5ddca20c3fd716c (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
index 97695ef493..8cf9ab4dde 100644
--- a/tests/view_tests/views.py
+++ b/tests/view_tests/views.py
@@ -9,7 +9,7 @@ from django.core.exceptions import (
 )
 from django.http import Http404, HttpResponse, JsonResponse
 from django.shortcuts import render
-from django.template import TemplateDoesNotExist
+from django.template import Context, Template, TemplateDoesNotExist
 from django.urls import get_resolver
 from django.views import View
 from django.views.debug import (
@@ -89,6 +89,18 @@ def template_exception(request):
     return render(request, 'debug/template_exception.html')
 
 
+def safestring_in_template_exception(request):
+    """
+    Trigger an exception in the template machinery which causes a SafeString
+    to be inserted as args[0] of the Exception.
+    """
+    template = Template('{% extends "<script>alert(1);</script>" %}')
+    try:
+        template.render(Context())
+    except Exception:
+        return technical_500_response(request, *sys.exc_info())
+
+
 def jsi18n(request):
     return render(request, 'jsi18n.html')
author	Keryn Knight <keryn@kerynknight.com>	2022-01-26 15:09:08 +0000
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-01-28 07:07:12 +0100
commit	c5c7a15b09368a58340d3a65ba9d1f1441e92dc8 (patch)
tree	2d8cbe6e5bc01935b8132ad9b8152cd07527e398 /tests/view_tests/views.py
parent	3a9b8b25d48c5768633e73edc5ddca20c3fd716c (diff)