ritstudentgovernment/PawPrints

HTML encoding present in titles

Opened this issue · 2 comments

https://pawprints.rit.edu/?p=3416 is an example.

This seems like it might be a bug with how user-input content is escaped and displayed. This also may have some larger security implications if fixed incorrectly

This is an issue with bleach from Django. I do not believe there are any associated security issues currently but it is worth investigating

thanks for the tip!

i was thinking security in the sense that if we allow too much HTML to be actually rendered by the user, it could be a situation where someone could put a malicious <script> tag in the title or something, but i this is handled by a django library they probably thought of that