06991a735f29Peter Sanchez 4 months ago 
Fixing XSS scripting bug with the "next" variable when searching for a user to
impersonate.

Special thanks to Santos Gallegos @ Read The Docs for the security/bug report.
patch browse 
5 files changed, 14 insertions(+), 6 deletions(-)

M AUTHORS
M README.md
M README.rst
M impersonate/__init__.py
M impersonate/helpers.py

M AUTHORS +1 -1
@@ 1,6 1,6 @@ 
 Creator:
 
-Peter Sanchez <petersanchez@gmail.com>
+Peter Sanchez <pjs@petersanchez.com>
 
 
 HUGE THANKS to the following contributors:

          
M README.md +5 -1
@@ 3,7 3,7 @@ 
 
 Simple application to allow superusers to "impersonate" other non-superuser accounts.
 
-**Version:** 1.9.2
+**Version:** 1.9.3
 
 **Project Links:** [Issues][issues] - [Mailing List][pinbox] -
 [Contributing](#contributing)

          
@@ 30,6 30,10 @@ Dependencies
 
 **NOTE:**
 
+-   **Versions 1.9.2 and below** are vulnerable to an XSS scripting
+    vulnerability where an attacker can craft a malicious URL and execute JS if
+    an authorized user clicks/follows the URL. Please upgrade to 1.9.3 or
+    newer.
 -   **Version 1.6** has officially removed support for the old settings format.
 	Please see the [settings](#settings) section for how settings should be
 	configured.

          
M README.rst +5 -1
@@ 4,7 4,7 @@ django-impersonate |nlshield|
 Simple application to allow superusers to "impersonate" other
 non-superuser accounts.
 
-**Version:** 1.9.2
+**Version:** 1.9.3
 
 **Project Links:**
 `Issues <https://todo.code.netlandish.com/~petersanchez/django-impersonate>`__

          
@@ 31,6 31,10 @@ Dependencies
 
 **NOTE:**
 
+-  **Versions 1.9.2 and below** are vulnerable to an XSS scripting
+   vulnerability where an attacker can craft a malicious URL and execute
+   JS if an authorized user clicks/follows the URL. Please upgrade to
+   1.9.3 or newer.
 -  **Version 1.6** has officially removed support for the old settings
    format. Please see the `settings <#settings>`__ section for how
    settings should be configured.

          
M impersonate/__init__.py +1 -1
@@ 1,5 1,5 @@ 
 # -*- coding: utf-8 -*-
-VERSION = (1, 9, 2, 'final', 0)
+VERSION = (1, 9, 3, 'final', 0)
 
 
 # taken from django-registration

          
M impersonate/helpers.py +2 -2
@@ 3,7 3,7 @@ import re
 from importlib import import_module
 
 from django.core.paginator import EmptyPage, Paginator
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html
 
 from .settings import User, settings
 

          
@@ 30,7 30,7 @@ def get_redir_field(request):
     if redirect_field_name:
         nextval = request.GET.get(redirect_field_name, None)
         if nextval:
-            return mark_safe(
+            return format_html(
                 u'<input type="hidden" name="{0}" value="{1}"/>'.format(
                     redirect_field_name, nextval,
                 )