Posting some of the discussion from IRC:
I've done some recent work with sensitive_post_parameters:
https://github.com/django/django/commit/2daada800f8e28cc1ba664b3008efaefab8fb570
The general lesson I learned was blacklisting isn't a very comprehensive
approach and there are defin
I just discovered that using @method_decorator(sensitive_post_parameters())
doesn't properly cleanse request.POST for all of the traceback frames.
Specifically, method_decorator's inner bound_func leaks the request because
it is contained in the args2 variable and not named request.
