Commit 41635d21 authored by Russell Keith-Magee's avatar Russell Keith-Magee
Browse files

Removed mark_safe from the saved request path on the admin login form. This... 

Removed mark_safe from the saved request path on the admin login form. This prevents a potential XSS attack. Formal announcement will be forthcoming.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@7521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 4880ba3c

django/contrib/admin/views/decorators.py

+1 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ def _display_login_form(request, error_message=''): 
        post_data = _encode_post_data({})

    return render_to_response('admin/login.html', {

        'title': _('Log in'),

        'app_path': mark_safe(request.path),

        'app_path': request.path,

        'post_data': post_data,

        'error_message': error_message

    }, context_instance=template.RequestContext(request))