diff options
Diffstat (limited to 'django')
| -rw-r--r-- | django/middleware/csrf.py | 6 | ||||
| -rw-r--r-- | django/template/defaulttags.py | 3 |
2 files changed, 6 insertions, 3 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index acb941315d..59eef72315 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -13,6 +13,7 @@ from django.conf import settings from django.core.urlresolvers import get_callable from django.utils.cache import patch_vary_headers from django.utils.hashcompat import md5_constructor +from django.utils.html import escape from django.utils.safestring import mark_safe _POST_FORM_RE = \ @@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id): def get_token(request): """ - Returns the the CSRF token required for a POST form. + Returns the the CSRF token required for a POST form. No assumptions should + be made about what characters might be in the CSRF token. A side effect of calling this function is to make the the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' @@ -233,7 +235,7 @@ class CsrfResponseMiddleware(object): """Returns the matched <form> tag plus the added <input> element""" return mark_safe(match.group() + "<div style='display:none;'>" + \ "<input type='hidden' " + idattributes.next() + \ - " name='csrfmiddlewaretoken' value='" + csrf_token + \ + " name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \ "' /></div>") # Modify any POST forms diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py index d629a690c5..0914b1c3b1 100644 --- a/django/template/defaulttags.py +++ b/django/template/defaulttags.py @@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG from django.template import get_library, Library, InvalidTemplateLibrary from django.template.smartif import IfParser, Literal from django.conf import settings +from django.utils.html import escape from django.utils.encoding import smart_str, smart_unicode from django.utils.safestring import mark_safe @@ -42,7 +43,7 @@ class CsrfTokenNode(Node): if csrf_token == 'NOTPROVIDED': return mark_safe(u"") else: - return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token)) + return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token)) else: # It's very probable that the token is missing because of # misconfiguration, so we raise a warning |