subject:"\/admin Cross\-Site Scripting \(XSS\) issue\!"

Re: /admin Cross-Site Scripting (XSS) issue!

2008-05-08 Thread peschler

Just confirming for: Django version 0.97-newforms-admin-SVN-7233 does not produce an alert box. In fact the form action is escaped here, too. peschler On May 8, 12:26 am, "Karen Tracey" <[EMAIL PROTECTED]> wrote: > On Wed, May 7, 2008 at 3:41 PM, James Bennett <[EMAIL PROTECTED]> wrote: > > > O

Re: /admin Cross-Site Scripting (XSS) issue!

2008-05-07 Thread Karen Tracey

On Wed, May 7, 2008 at 3:41 PM, James Bennett <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> > wrote: > > > > It does work, make sure you're not logged in. > > > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%

Re: /admin Cross-Site Scripting (XSS) issue!

2008-05-07 Thread James Bennett

On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> wrote: > > It does work, make sure you're not logged in. > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > | grep alert > alert(3939)/" method="post" > id="login-form"> O