Cross site scripting vulnerability in django-epiceditor

Introduction

django-epiceditor

A django app that allows the easy addition of EpicEditor markdown editor to a django form field, whether in a custom app or the Django Admin.

The project url: https://pypi.python.org/pypi/django-epiceditor

Environment

  • django==1.10.6
  • django-epiceditor==0.2.3

Vulnerability reproduction

Your apps, in the form.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from django import forms
from epiceditor.widgets import AdminEpicEditorWidget
from .models import FooModel
class FooModelForm(forms.ModelForm):
title = forms.CharField(widget=AdminEpicEditorWidget())
info = forms.CharField(widget=AdminEpicEditorWidget())
class Meta:
model = FooModel
fields = "__all__"

Then enter django background page, if the field use widget AdminEpicEditorWidget

in editor:

click preview