mezzanine xss

Version: <=4.3.1
My English is not good, the report is translated by Google.
Recurring vulnerabilities:
Vulnerability url: `http://127.0.0.1:8000/admin/blog/blogpost/add/`
When adding a blog, use Burpsuite to capture the package, modify the title to `test<svg/onload=alert(1)>` and the content as `<svg>`
![21CB7D45-8A10-4E42-BCF6-F43BA73AB36B](https://user-images.githubusercontent.com/27653537/56572380-8a1a1680-65f1-11e9-8df2-1699f180bc22.png)
Return `http://127.0.0.1:8000/blog/` to trigger the xss
![9A9C3CCC-D286-4AB9-87C2-B3E9A3FF99B6](https://user-images.githubusercontent.com/27653537/56572416-97cf9c00-65f1-11e9-9e89-5243f0e3e2cf.png)
The cause of the vulnerability is due to the description_from_content function of core/models.py, line 184, where the value of title is called, resulting in xss
![8F2A6B92-DB86-42CA-9DC0-4D195CB64BBA](https://user-images.githubusercontent.com/27653537/56572426-9e5e1380-65f1-11e9-8dd9-7caa834d196c.png)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

mezzanine xss #1921

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

mezzanine xss #1921

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions