Source & related discussions:
https://cure53.de/fp170.pdf
https://html5sec.org/#102
http://lcamtuf.coredump.cx/postxss/
--
Ticket URL: <https://code.djangoproject.com/ticket/23544>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Old description:
> IE8 can suffer from XSS if backtick is left unescaped as it can be used
> to switch out of the attribute. It should be added in
> `django.utils.html.escape()` if this is a serious security issue.
>
> Source & related discussions:
>
> https://cure53.de/fp170.pdf
> https://html5sec.org/#102
> http://lcamtuf.coredump.cx/postxss/
New description:
IE8 can suffer from XSS if backtick is left unescaped as it can be used to
switch out of the attribute. It should be added in
`django.utils.html.escape()` if this is a serious security issue.
Source & related discussions:
1. Paper by Mario Heiderich : https://cure53.de/fp170.pdf
2. https://html5sec.org/#102
3. http://lcamtuf.coredump.cx/postxss/
--
--
Ticket URL: <https://code.djangoproject.com/ticket/23544#comment:1>
* status: new => closed
* resolution: => wontfix
Comment:
Please do not report security issues in this ticket tracker! Quoting the
new ticket page: "Please don't report security issues here! Contact
secu...@djangoproject.com instead."
This issue was previously privately reported, however, our research found
that the problem only exists in IE6, 7 and 8. IE6 and 7 are effectively
EOL, and only unpatched versions of IE8 are affected.
Given the potential impact of a change to autoescaping behaviour, the
small cross section of affected browsers, and the limited potential for
exploit (i.e., that the exploit requires a user-injected script to perform
the innerHTML manipulation), we've decided not to patch this issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/23544#comment:2>