New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape HTML output #1469
Escape HTML output #1469
Conversation
As per Django's documentation > Clearly, user-submitted data shouldn’t be trusted blindly and inserted > directly into your web pages, because a malicious user could use this kind of > hole to do potentially bad things. This type of security exploit is called a > Cross Site Scripting (XSS) attack. > To avoid this problem, you have two options: > > * One, you can make sure to run each untrusted variable through the escape > filter (documented below), which converts potentially harmful HTML characters > to unharmful ones.
Hi Klaas - thanks so much for raising the issues and suggesting PRs, we appreciate it. I would recommend you test against v3 which is in beta (branch is release-3-x). There are a lot of changes coming in v3. You'd be very welcome to submit PRs in either v2 or v3, but please check out the contribution guide first. v3 is going to soon become the mainline version, with v2 supported for some time for bug fixes. |
This particular PR does not apply on release-3-x; given its nature, might I suggest merging it into master anyway? |
@matthewhegarty anything I can do to move this PR and the others forward? |
I'll have to take a look when I get some time - maybe at the weekend. Thanks for your contributions. |
Thanks again for submitting this. I fixed the |
LGTM, feel free to merge |
@matthewhegarty any chance you could release |
2.9.0 released |
As per Django's documentation