The following flaw was found in Django:
However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.
This issue affects Django versions 1.8.x, 1.7.x, 1.6.x, and 1.4.x. This issue is fixed in versions 1.8 release candidate 1 (or beta 3), 1.7.7, 1.6.11, and 1.4.20.
Red Hat would like to thank the upstream Django project for reporting this issue.
Created attachment 1002809 [details]
Created attachment 1002810 [details]
Created attachment 1002811 [details]
Created attachment 1002812 [details]
Created attachment 1002813 [details]
Created Django14 tracking bugs for this issue:
Affects: epel-6 [bug 1203619]
Created python-django14 tracking bugs for this issue:
Affects: fedora-20 [bug 1203617]
Created python-django tracking bugs for this issue:
Affects: fedora-all [bug 1203616]
Affects: epel-7 [bug 1203618]
python-django-1.6.11-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Django14-1.4.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.20-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.