Django Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-0220
Reference:
CVE-2015-0220
Title:
Django Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:
The django.util.http.is_safe_url function in Django before 1.4.18 1.6.x before 1.6.10 and 1.7.x before 1.7.3 does not properly handle leading whitespaces which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL related to redirect URLs as demonstrated by a quotnjavascript:quot URL.