It does work, make sure you're not logged in. $ lynx -source -dump http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ | grep alert <form action="/admin/"><script>alert(3939)</script>/" method="post" id="login-form">
On May 7, 9:10 pm, "James Bennett" <[EMAIL PROTECTED]> wrote: > On Wed, May 7, 2008 at 1:45 PM, mw <[EMAIL PROTECTED]> wrote: > > It worked for me and I have one of the fairly recent copies from SVN. > > (not like today up to date, but pretty up to date) > > Visiting the precise URL he pasted, in current Django trunk (SVN > revision 7514), I get a 404. > > And I can't see any way that the URL would match something in a prior > version of Django, since there's never been an admin URL pattern that > can match "index.php". or the other junk in that URL. > > My best guess is somebody made a 404.html template and is displaying > the raw path of the URL without escaping (or with escaping turned off, > depending on the Django version). > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
