angler-fishThe Vulnerability History Project

[1.8.x] Fixed #24464 -- Made built-in HTML template filter functions escape their input by default.

      This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.

Thanks Markus Holtermann for help with tests and docs.

Backport of fa350e2f303572ee8f9a8302dda45a12288d3d95 from master
by Jerome the Yellow Eyed Penguin 2015-03-08 11:34:55 UTC
commit d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059
Django Fix Writing the Read-Only CVE-2015-2241
django/template/defaultfilters.py
+7 -7
docs/howto/custom-template-tags.txt
+8 -19
docs/releases/1.8.txt
-20
tests/template_tests/filter_tests/test_join.py
-12
tests/template_tests/filter_tests/test_linebreaks.py
-12
tests/template_tests/filter_tests/test_linebreaksbr.py
-12
tests/template_tests/filter_tests/test_linenumbers.py
-12
tests/template_tests/filter_tests/test_unordered_list.py
+2 -49
tests/template_tests/filter_tests/test_urlize.py
+7 -19
tests/template_tests/filter_tests/test_urlizetrunc.py
-12
expand_less