Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Filtering errors by safe is NOT safe!
This corrects the assumption that django errors are safe. eg: If you have a GET form with a field call foo and insert: ?foo=bar into the url, where bar is not a valid choice, the error for a ChoiceField will be: Select a valid choice. bar is not one of the available choices. Obviously this is a VERY bad thing to mark as safe. Imagine we have: ?foo=<script>alert('This is bad')</script> We are now manipulating the page into executing code... This is bad. https://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-escaping
- Loading branch information