Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #5974 -- Added autoescaping for source code lines and local var…

…iables in

technical debug page.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 116b9d06cc492f1dcc78fce4926799a771555cfd 1 parent b1d4029
Malcolm Tredinnick authored November 20, 2007

Showing 1 changed file with 6 additions and 6 deletions. Show diff stats Hide diff stats

  1. 12  django/views/debug.py
12  django/views/debug.py
@@ -422,11 +422,11 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
422 422
           {% if frame.context_line %}
423 423
             <div class="context" id="c{{ frame.id }}">
424 424
               {% if frame.pre_context %}
425  
-                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
  425
+                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
426 426
               {% endif %}
427  
-              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol>
  427
+              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line|escape }} <span>...</span></li></ol>
428 428
               {% if frame.post_context %}
429  
-                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
  429
+                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
430 430
               {% endif %}
431 431
             </div>
432 432
           {% endif %}
@@ -445,8 +445,8 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
445 445
               <tbody>
446 446
                 {% for var in frame.vars|dictsort:"0" %}
447 447
                   <tr>
448  
-                    <td>{{ var.0 }}</td>
449  
-                    <td class="code"><div>{{ var.1|pprint }}</div></td>
  448
+                    <td>{{ var.0|escape }}</td>
  449
+                    <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
450 450
                   </tr>
451 451
                 {% endfor %}
452 452
               </tbody>
@@ -466,7 +466,7 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
466 466
 {% for frame in frames %}
467 467
   File "{{ frame.filename }}" in {{ frame.function }}<br/>
468 468
   {% if frame.context_line %}
469  
-    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line }}<br/>
  469
+    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
470 470
   {% endif %}
471 471
 {% endfor %}<br/>
472 472
 &nbsp;&nbsp;{{ exception_type }} at {{ request.path|escape }}<br/>

0 notes on commit 116b9d0

Please sign in to comment.
Something went wrong with that request. Please try again.