WidgetMixin : take the right id in the right place for field forwarding + XSS exploit fix

yourlabs / django-autocomplete-light

A fresh approach to autocomplete implementations, specially for Django. Status: v4 alpha, v3 stable, v2 & v1 deprecated.

https://django-autocomplete-light.readthedocs.io

MIT License

1.8k stars 467 forks source link

WidgetMixin : take the right id in the right place for field forwarding + XSS exploit fix #1354

Open elapouya opened 7 months ago

elapouya commented 7 months ago

Actually, for field forwarding, there is a mismatch between the div id given at python side and the id at javascript side. At python side the widget id is not read at the right place.

In the PR there is a very quick fix for that.

There is also a XSS exploit possible in select2.js when displaying selected item : it requires to be escaped.