Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #5974 -- Added autoescaping for source code lines and local var…

…iables in

technical debug page.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 116b9d06cc492f1dcc78fce4926799a771555cfd 1 parent b1d4029
Malcolm Tredinnick malcolmt authored
Showing with 6 additions and 6 deletions.
  1. +6 −6 django/views/debug.py
12 django/views/debug.py
View
@@ -422,11 +422,11 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
{% if frame.context_line %}
<div class="context" id="c{{ frame.id }}">
{% if frame.pre_context %}
- <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
+ <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
{% endif %}
- <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol>
+ <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line|escape }} <span>...</span></li></ol>
{% if frame.post_context %}
- <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
+ <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
{% endif %}
</div>
{% endif %}
@@ -445,8 +445,8 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
<tbody>
{% for var in frame.vars|dictsort:"0" %}
<tr>
- <td>{{ var.0 }}</td>
- <td class="code"><div>{{ var.1|pprint }}</div></td>
+ <td>{{ var.0|escape }}</td>
+ <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
</tr>
{% endfor %}
</tbody>
@@ -466,7 +466,7 @@ def _get_lines_from_file(filename, lineno, context_lines, loader=None, module_na
{% for frame in frames %}
File "{{ frame.filename }}" in {{ frame.function }}<br/>
{% if frame.context_line %}
- &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line }}<br/>
+ &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
{% endif %}
{% endfor %}<br/>
&nbsp;&nbsp;{{ exception_type }} at {{ request.path|escape }}<br/>
Please sign in to comment.
Something went wrong with that request. Please try again.