Skip to content

Any HTML file readable by the app can be rendered and have the template source exposed #29

Closed
@thibaudcolas

Description

@thibaudcolas

In GitLab by @bcdickinson on Nov 30, 2019, 12:52

Steps to reproduce (using the test app and ./runserver.sh:

  1. Create a file tests/templates/secure/fail.html with the following content:
    {% if False %}Don't show me{% endif %}
  2. Run the test app with ./runserver.sh
  3. Go to http://localhost:8000/pattern-library/pattern/secure/fail.html
  4. Recoil in horror as your non-pattern template's logic is exposed to anyone.

This is a problem because this template is not part of the pattern library and shouldn't be exposed just because the pattern library app is enabled.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingdjangoRelated to Django templates capabilities

Type

No type

Projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions