-
Alex Pyrgiotis authored
The admin app has three kinds of views: detail views, table views and charts. * The detail views should typically be protected from XSS attacks, except for some edge cases which are shown here [1]. * The chart views should most probably be protected from XSS attacks, due to the fact that they are rendered as SVG and we don't show user input (except for one chart which has been sanitized) * The list view on the other hand is easily exploitable. To fix this, we have created a base DataTablesView class that escapes each table row by default. Also, we escape each extra data that has originated from user input separately. Fix apyrgio/synnefo#190 [1] https://docs.djangoproject.com/en/1.4/topics/security/#cross-site-scripting-xss-protection
2751179b