Description
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Remediation
References
Related Vulnerabilities
PHP Integer Overflow or Wraparound Vulnerability (CVE-2010-1866)
WordPress Plugin Question Answer Multiple Cross-Site Scripting Vulnerabilities (1.2.30)
WordPress Plugin WP Easy Gallery 'select_gallery' Parameter Cross-Site Scripting (1.7)
WordPress Plugin Clever Addons for Elementor Multiple Cross-Site Scripting Vulnerabilities (2.0.15)
Python Integer Overflow or Wraparound Vulnerability (CVE-2008-1679)