Closed bpartridge closed 4 years ago
Hello, First of all thank you very much for your collaboration. I am reviewing and accepting the PR I have open. Could you check the conflict in your PR?
Thank you
I tested this PR and the changes have broken the functionality because the widget content has been lost.
There's currently a dangerous XSS injection opportunity if any data includes a string including a closing script tag. It will cause the script to be closed early, and any subsequent characters may be injected into the HTML of the admin page, including malicious scripts.
escapejs
within a string is a better filter to use for this purpose, and we parse the resulting string.Users may apply a temporary fix in their own codebases with the following:
And then replace the offending line in django_json_widget_patched.html in your codebase.