#34770: Default autoescape off in password_reset_email.html
-------------------------------------+-------------------------------------
Reporter: Yi Ming | Owner: nobody
Yung |
Type: Bug | Status: assigned
Component: | Version: 4.2
contrib.auth | Keywords: autoescape
Severity: Normal | password_reset template
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
In the source code, the contents of password_reset_email.html has {%
autoescape off %} by default. This causes none of the variables being put
into the template to be escaped properly. This can lead to some simple
html injection. It's not a big security issue but it seems inconsistent as
this is the only template in the source code to do so.
I am also not sure why this would be desired in an email template or at
all by default for that matter. If someone knows or has a valid usecase
for this, please let me know.
For reference:
https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/admin/templates/registration/password_reset_email.html#L1C11-L1C11
--
Ticket URL: <https://code.djangoproject.com/ticket/34770>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070189e49828b8-57700f8b-f67f-405b-9e8c-acd24e3aa265-000000%40eu-central-1.amazonses.com.
