Django 1.6.11 版本发行说明
Django 1.6.11 fixes two security issues in 1.6.10.
To remedy this issue, strip_tags()
will now return the original input if it detects the length of the string it’s processing increases. Remember that absolutely NO guarantee is provided about the results of being HTML safe. So NEVER mark safe the result of a strip_tags()
call without escaping it first, for example with escape().
Mitigated possible XSS attack via user-supplied redirect URLs
However, if a developer relies on is_safe_url()
to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor .