[3.2] py-django: XSS in admin's add/change related popup (CVE-2016-6186)
Unsafe usage of JavaScript’s Element.innerHTML could result in XSS in
the admin’s add/change related popup.
Element.textContent is now used to prevent execution of the data.
The debug view also used innerHTML. Although a security issue wasn’t
identified there,
out of an abundance of caution it’s also updated to use textContent.
Fixed In Version:
django 1.9.8, django 1.8.14
References:
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
(from redmine: issue id 5915, created on 2016-07-19, closed on 2016-07-20)
- Relations:
- parent #5911 (closed)
- Changesets:
- Revision 358cf40e by Natanael Copa on 2016-07-19T09:09:48Z:
main/py-django: security upgrade to 1.8.14 (CVE-2016-6186)
fixes #5915