#17837: Markdown filter "safe" mode is vulnerable to e.g. 'onclick' attributes -------------------------------------+------------------------------------- Reporter: nomulous | Owner: nobody Type: Bug | Status: closed Component: contrib.markup | Version: SVN Severity: Release blocker | Resolution: fixed Keywords: javascript, | Triage Stage: Accepted injection, xss, markdown | Needs documentation: 0 Has patch: 1 | Patch needs improvement: 0 Needs tests: 0 | UI/UX: 0 Easy pickings: 0 | -------------------------------------+------------------------------------- Changes (by PaulM):
* status: new => closed * resolution: => fixed Comment: In [17734]: {{{ #!CommitTicketReference repository="" revision="17734" [1.3.X] Fixed #17837. Improved markdown safety. Markdown enable_attributes is now False when safe_mode is enabled. Documented the markdown "safe" argument. Added warnings when the safe argument is passed to versions of markdown which cannot be made safe. }}} -- Ticket URL: <https://code.djangoproject.com/ticket/17837#comment:7> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.