You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix a XSS vulnerability with bad input to json_dumps.
Django's JSON serialization does not handle escaping of any characters
to make them safe for injecting into HTML. This allows an attacker who
can provide part of a JSON-serializable object to craft a string that
can break out of a <script> tag and create its own, injecting a custom
script.
To fix this, we escape '<', '>', and '&' characters in the resulting
string, preventing a </script> from executing.
0 commit comments