Closed willmeyers closed 7 months ago
Good catch. I'll make it safe today.
It turns out that Pygments (the syntax highlighter) was unescaping escaped characters. I've changed it to selectively handle syntax highlighting, and manually escaping the injected content.
Fixed in da95468f8c7dd3643d3759d9b63f5204b2c49baf
@HermanMartinus
I discovered an XSS vulnerability that should be patched.
To reproduce:
{{ post_title }}
I believe other template tags might also be available which could include other security issues.