+25
-17
lines changedFilter options
+25
-17
lines changed Original file line number Diff line number Diff line change
@@ -775,38 +775,37 @@ def default_urlconf(request):
775 775
<h2>Traceback <span class="commands">{% if not is_email %}<a href="#" onclick="return switchPastebinFriendly(this);">
776 776
Switch to copy-and-paste view</a></span>{% endif %}
777 777
</h2>
778 -
{% autoescape off %}
779 778
<div id="browserTraceback">
780 779
<ul class="traceback">
781 780
{% for frame in frames %}
782 781
{% ifchanged frame.exc_cause %}{% if frame.exc_cause %}
783 782
<li><h3>
784 783
{% if frame.exc_cause_explicit %}
785 -
The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception:
784 +
The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception:
786 785
{% else %}
787 -
During handling of the above exception ({{ frame.exc_cause }}), another exception occurred:
786 +
During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred:
788 787
{% endif %}
789 788
</h3></li>
790 789
{% endif %}{% endifchanged %}
791 790
<li class="frame {{ frame.type }}">
792 -
<code>{{ frame.filename|escape }}</code> in <code>{{ frame.function|escape }}</code>
791 +
<code>{{ frame.filename }}</code> in <code>{{ frame.function }}</code>
793 792 794 793
{% if frame.context_line %}
795 794
<div class="context" id="c{{ frame.id }}">
796 795
{% if frame.pre_context and not is_email %}
797 796
<ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">
798 797
{% for line in frame.pre_context %}
799 -
<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line|escape }}</pre></li>
798 +
<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line }}</pre></li>
800 799
{% endfor %}
801 800
</ol>
802 801
{% endif %}
803 802
<ol start="{{ frame.lineno }}" class="context-line">
804 803
<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>
805 -
""" """{{ frame.context_line|escape }}</pre>{% if not is_email %} <span>...</span>{% endif %}</li></ol>
804 +
""" """{{ frame.context_line }}</pre>{% if not is_email %} <span>...</span>{% endif %}</li></ol>
806 805
{% if frame.post_context and not is_email %}
807 806
<ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">
808 807
{% for line in frame.post_context %}
809 -
<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line|escape }}</pre></li>
808 +
<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line }}</pre></li>
810 809
{% endfor %}
811 810
</ol>
812 811
{% endif %}
@@ -831,7 +830,7 @@ def default_urlconf(request):
831 830
<tbody>
832 831
{% for var in frame.vars|dictsort:0 %}
833 832
<tr>
834 -
<td>{{ var.0|force_escape }}</td>
833 +
<td>{{ var.0 }}</td>
835 834
<td class="code"><pre>{{ var.1 }}</pre></td>
836 835
</tr>
837 836
{% endfor %}
@@ -842,7 +841,6 @@ def default_urlconf(request):
842 841
{% endfor %}
843 842
</ul>
844 843
</div>
845 -
{% endautoescape %}
846 844
<form action="http://dpaste.com/" name="pasteform" id="pasteform" method="post">
847 845
{% if not is_email %}
848 846
<div id="pastebinTraceback" class="pastebin">
@@ -888,9 +886,9 @@ def default_urlconf(request):
888 886 889 887
Traceback:{% for frame in frames %}
890 888
{% ifchanged frame.exc_cause %}{% if frame.exc_cause %}{% if frame.exc_cause_explicit %}
891 -
The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception:
889 +
The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception:
892 890
{% else %}
893 -
During handling of the above exception ({{ frame.exc_cause }}), another exception occurred:
891 +
During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred:
894 892
{% endif %}{% endif %}{% endifchanged %}
895 893
File "{{ frame.filename|escape }}" in {{ frame.function|escape }}
896 894
{% if frame.context_line %} {{ frame.lineno }}. {{ frame.context_line|escape }}{% endif %}{% endfor %}
@@ -5,3 +5,12 @@ Django 1.10.8 release notes
5 5
*September 5, 2017*
6 6 7 7
Django 1.10.8 fixes a security issue in 1.10.7.
8 + 9 +
CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
10 +
=============================================================================
11 + 12 +
In older versions, HTML autoescaping was disabled in a portion of the template
13 +
for the technical 500 debug page. Given the right circumstances, this allowed
14 +
a cross-site scripting attack. This vulnerability shouldn't affect most
15 +
production sites since you shouldn't run with ``DEBUG = True`` (which makes
16 +
this page accessible) in your production settings.
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@
9 9
import sys
10 10 11 11
from django.test import RequestFactory, TestCase
12 +
from django.utils.safestring import mark_safe
12 13
from django.views.debug import ExceptionReporter
13 14 14 15
@@ -20,10 +21,10 @@ def test_reporting_of_nested_exceptions(self):
20 21
request = self.rf.get('/test_view/')
21 22
try:
22 23
try:
23 -
raise AttributeError('Top level')
24 +
raise AttributeError(mark_safe('<p>Top level</p>'))
24 25
except AttributeError as explicit:
25 26
try:
26 -
raise ValueError('Second exception') from explicit
27 +
raise ValueError('<p>Second exception</p>') from explicit
27 28
except ValueError:
28 29
raise IndexError('Final exception')
29 30
except Exception:
@@ -37,9 +38,9 @@ def test_reporting_of_nested_exceptions(self):
37 38
html = reporter.get_traceback_html()
38 39
# Both messages are twice on page -- one rendered as html,
39 40
# one as plain text (for pastebin)
40 -
self.assertEqual(2, html.count(explicit_exc.format("Top level")))
41 -
self.assertEqual(2, html.count(implicit_exc.format("Second exception")))
41 +
self.assertEqual(2, html.count(explicit_exc.format('<p>Top level</p>')))
42 +
self.assertEqual(2, html.count(implicit_exc.format('<p>Second exception</p>')))
42 43 43 44
text = reporter.get_traceback_text()
44 -
self.assertIn(explicit_exc.format("Top level"), text)
45 -
self.assertIn(implicit_exc.format("Second exception"), text)
45 +
self.assertIn(explicit_exc.format('<p>Top level</p>'), text)
46 +
self.assertIn(implicit_exc.format('<p>Second exception</p>'), text)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4