From 21a1a21d0b0373e211621e3881ae03008843a034 Mon Sep 17 00:00:00 2001
From: Russell Keith-Magee <russell@keith-magee.com>
Date: Tue, 23 Mar 2010 14:55:00 +0000
Subject: [PATCH] [1.1.X] Fixed #13177 -- Corrected usage of firstof in admin
 templates. Thanks to nomulous for the report and patch.

Backport of r12840 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@12841 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 .../contrib/admin/templates/admin/base.html   |  2 +-
 docs/ref/templates/builtins.txt               | 20 +++++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html
index 95257285eb705..637c10508ae01 100644
--- a/django/contrib/admin/templates/admin/base.html
+++ b/django/contrib/admin/templates/admin/base.html
@@ -25,7 +25,7 @@
         {% if user.is_authenticated and user.is_staff %}
         <div id="user-tools">
             {% trans 'Welcome,' %}
-            <strong>{% firstof user.first_name user.username %}</strong>.
+            <strong>{% filter force_escape %}{% firstof user.first_name user.username %}{% endfilter %}</strong>.
             {% block userlinks %}
                 {% url django-admindocs-docroot as docsroot %}
                 {% if docsroot %}
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index d68facb0d54da..a878cd884e89b 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -112,9 +112,13 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
 Values enclosed in single (``'``) or double quotes (``"``) are treated as
 string literals, while values without quotes are treated as template variables.
 
-Note that the variables included in the cycle will not be escaped. This is
-because template tags do not escape their content. If you want to escape the
-variables in the cycle, you must do so explicitly::
+Note that the variables included in the cycle will not be escaped.
+This is because template tags do not escape their content. Any HTML or
+Javascript code contained in the printed variable will be rendered
+as-is, which could potentially lead to security issues.
+
+If you need to escape the variables in the cycle, you must do so
+explicitly::
 
     {% filter force_escape %}
         {% cycle var1 var2 var3 %}
@@ -202,9 +206,13 @@ passed variables are False::
 
     {% firstof var1 var2 var3 "fallback value" %}
 
-Note that the variables included in the firstof tag will not be escaped. This
-is because template tags do not escape their content. If you want to escape
-the variables in the firstof tag, you must do so explicitly::
+Note that the variables included in the firstof tag will not be
+escaped. This is because template tags do not escape their content.
+Any HTML or Javascript code contained in the printed variable will be
+rendered as-is, which could potentially lead to security issues.
+
+If you need to escape the variables in the firstof tag, you must do so
+explicitly::
 
     {% filter force_escape %}
         {% firstof var1 var2 var3 "fallback value" %}