+77
-16
lines changedFilter options
+77
-16
lines changed Original file line number Diff line number Diff line change
@@ -9,7 +9,7 @@
9 9
from django.conf import settings
10 10
from django.utils import timezone
11 11
from django.utils.deprecation import RemovedInDjango40Warning
12 -
from django.utils.html import conditional_escape, format_html
12 +
from django.utils.html import conditional_escape, escape, format_html
13 13
from django.utils.lorem_ipsum import paragraphs, words
14 14
from django.utils.safestring import mark_safe
15 15
@@ -96,10 +96,13 @@ def reset(self, context):
96 96 97 97
class DebugNode(Node):
98 98
def render(self, context):
99 +
if not settings.DEBUG:
100 +
return ''
101 + 99 102
from pprint import pformat
100 -
output = [pformat(val) for val in context]
103 +
output = [escape(pformat(val)) for val in context]
101 104
output.append('\n\n')
102 -
output.append(pformat(sys.modules))
105 +
output.append(escape(pformat(sys.modules)))
103 106
return ''.join(output)
104 107 105 108
@@ -194,7 +194,13 @@ from its first value when it's next encountered.
194 194
---------
195 195 196 196
Outputs a whole load of debugging information, including the current context
197 -
and imported modules.
197 +
and imported modules. ``{% debug %}`` outputs nothing when the :setting:`DEBUG`
198 +
setting is ``False``.
199 + 200 +
.. versionchanged:: 2.2.27
201 + 202 +
In older versions, debugging information was displayed when the
203 +
:setting:`DEBUG` setting was ``False``.
198 204 199 205
.. templatetag:: extends
200 206
@@ -6,4 +6,12 @@ Django 2.2.27 release notes
6 6 7 7
Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
8 8 9 -
...
9 +
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
10 +
=============================================================
11 + 12 +
The ``{% debug %}`` template tag didn't properly encode the current context,
13 +
posing an XSS attack vector.
14 + 15 +
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
16 +
information when the ``DEBUG`` setting is ``False``, and it ensures all context
17 +
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Original file line number Diff line number Diff line change
@@ -6,4 +6,12 @@ Django 3.2.12 release notes
6 6 7 7
Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11.
8 8 9 -
...
9 +
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
10 +
=============================================================
11 + 12 +
The ``{% debug %}`` template tag didn't properly encode the current context,
13 +
posing an XSS attack vector.
14 + 15 +
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
16 +
information when the ``DEBUG`` setting is ``False``, and it ensures all context
17 +
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
1 +
from django.contrib.auth.models import Group
2 +
from django.test import SimpleTestCase, override_settings
3 + 4 +
from ..utils import setup
5 + 6 + 7 +
@override_settings(DEBUG=True)
8 +
class DebugTests(SimpleTestCase):
9 + 10 +
@override_settings(DEBUG=False)
11 +
@setup({'non_debug': '{% debug %}'})
12 +
def test_non_debug(self):
13 +
output = self.engine.render_to_string('non_debug', {})
14 +
self.assertEqual(output, '')
15 + 16 +
@setup({'modules': '{% debug %}'})
17 +
def test_modules(self):
18 +
output = self.engine.render_to_string('modules', {})
19 +
self.assertIn(
20 +
''django': <module 'django' ',
21 +
output,
22 +
)
23 + 24 +
@setup({'plain': '{% debug %}'})
25 +
def test_plain(self):
26 +
output = self.engine.render_to_string('plain', {'a': 1})
27 +
self.assertTrue(output.startswith(
28 +
'{'a': 1}'
29 +
'{'False': False, 'None': None, '
30 +
''True': True}\n\n{'
31 +
))
32 + 33 +
@setup({'non_ascii': '{% debug %}'})
34 +
def test_non_ascii(self):
35 +
group = Group(name="清風")
36 +
output = self.engine.render_to_string('non_ascii', {'group': group})
37 +
self.assertTrue(output.startswith(
38 +
'{'group': <Group: 清風>}'
39 +
))
40 + 41 +
@setup({'script': '{% debug %}'})
42 +
def test_script(self):
43 +
output = self.engine.render_to_string('script', {'frag': '<script>'})
44 +
self.assertTrue(output.startswith(
45 +
'{'frag': '<script>'}'
46 +
))
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
1 1
import sys
2 2 3 -
from django.contrib.auth.models import Group
4 3
from django.template import Context, Engine, TemplateSyntaxError
5 4
from django.template.base import UNKNOWN_SOURCE
6 5
from django.test import SimpleTestCase, override_settings
@@ -143,15 +142,6 @@ def test_super_errors(self):
143 142
with self.assertRaises(NoReverseMatch):
144 143
t.render(Context())
145 144 146 -
def test_debug_tag_non_ascii(self):
147 -
"""
148 -
#23060 -- Test non-ASCII model representation in debug output.
149 -
"""
150 -
group = Group(name="清風")
151 -
c1 = Context({"objs": [group]})
152 -
t1 = Engine().from_string('{% debug %}')
153 -
self.assertIn("清風", t1.render(c1))
154 - 155 145
def test_extends_generic_template(self):
156 146
"""
157 147
#24338 -- Allow extending django.template.backends.django.Template
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4