# HG changeset patch
# User Peter Sanchez <peter@netlandish.com>
# Date 1718317294 21600
#      Thu Jun 13 16:21:34 2024 -0600
# Node ID 06991a735f290884eec08effb3fa31ed45cc26e5
# Parent  ed7f09b3bb9f2168888c15562e29471ea82373c2
Fixing XSS scripting bug with the "next" variable when searching for a user to
impersonate.

Special thanks to Santos Gallegos @ Read The Docs for the security/bug report.

diff --git a/AUTHORS b/AUTHORS
--- a/AUTHORS
+++ b/AUTHORS
@@ -1,6 +1,6 @@
 Creator:
 
-Peter Sanchez <petersanchez@gmail.com>
+Peter Sanchez <pjs@petersanchez.com>
 
 
 HUGE THANKS to the following contributors:
diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 Simple application to allow superusers to "impersonate" other non-superuser accounts.
 
-**Version:** 1.9.2
+**Version:** 1.9.3
 
 **Project Links:** [Issues][issues] - [Mailing List][pinbox] -
 [Contributing](#contributing)
@@ -30,6 +30,10 @@
 
 **NOTE:**
 
+-   **Versions 1.9.2 and below** are vulnerable to an XSS scripting
+    vulnerability where an attacker can craft a malicious URL and execute JS if
+    an authorized user clicks/follows the URL. Please upgrade to 1.9.3 or
+    newer.
 -   **Version 1.6** has officially removed support for the old settings format.
 	Please see the [settings](#settings) section for how settings should be
 	configured.
diff --git a/README.rst b/README.rst
--- a/README.rst
+++ b/README.rst
@@ -4,7 +4,7 @@
 Simple application to allow superusers to "impersonate" other
 non-superuser accounts.
 
-**Version:** 1.9.2
+**Version:** 1.9.3
 
 **Project Links:**
 `Issues <https://todo.code.netlandish.com/~petersanchez/django-impersonate>`__
@@ -31,6 +31,10 @@
 
 **NOTE:**
 
+-  **Versions 1.9.2 and below** are vulnerable to an XSS scripting
+   vulnerability where an attacker can craft a malicious URL and execute
+   JS if an authorized user clicks/follows the URL. Please upgrade to
+   1.9.3 or newer.
 -  **Version 1.6** has officially removed support for the old settings
    format. Please see the `settings <#settings>`__ section for how
    settings should be configured.
diff --git a/impersonate/__init__.py b/impersonate/__init__.py
--- a/impersonate/__init__.py
+++ b/impersonate/__init__.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-VERSION = (1, 9, 2, 'final', 0)
+VERSION = (1, 9, 3, 'final', 0)
 
 
 # taken from django-registration
diff --git a/impersonate/helpers.py b/impersonate/helpers.py
--- a/impersonate/helpers.py
+++ b/impersonate/helpers.py
@@ -3,7 +3,7 @@
 from importlib import import_module
 
 from django.core.paginator import EmptyPage, Paginator
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html
 
 from .settings import User, settings
 
@@ -30,7 +30,7 @@
     if redirect_field_name:
         nextval = request.GET.get(redirect_field_name, None)
         if nextval:
-            return mark_safe(
+            return format_html(
                 u'<input type="hidden" name="{0}" value="{1}"/>'.format(
                     redirect_field_name, nextval,
                 )