#33523: remove dangerous text from translated message about csrf error
-------------------------------------+-------------------------------------
Reporter: Maxim | Owner: nobody
Danilov |
Type: Bug | Status: new
Component: CSRF | Version: 4.0
Severity: Normal | Keywords: csrf error message
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
in django\views\csrf.py function csrf_failure defined error dictionary "c"
(error_name: error_description)
item with key 'no_referer3' has text:
'If you are using the <meta name="referrer" content=\"no-referrer\"> tag
or including the “Referrer-Policy: no-referrer” header, please remove
them. The CSRF protection requires the “Referer” header to do strict
referer checking. If you’re concerned about privacy, use alternatives like
<a rel=\"noreferrer\" …> for links to third-party sites.'
If i put this message simply in <html><head><title> {{ c.no_referer3 }}
</title>, it break browser work.
The browsers takes <meta name="referrer" content=\"no-referrer\"> as
normal meta. (chrome and Firefox)
This text "from box" has not escaped symbols and therefore it is
dangerous. Of course, I can change it with translations.
--
Ticket URL: <https://code.djangoproject.com/ticket/33523>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.0fc0ec177d72c3add605370782eba4e0%40djangoproject.com.
