Description
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Other Vulnerability (CVE-1999-1199)
WordPress Plugin s2Member Pro 'Coupon Code' Field HTML Injection (111216)
PostgreSQL Untrusted Search Path Vulnerability (CVE-2020-14350)
PHP Other Vulnerability (CVE-2015-4116)
WordPress Plugin Dynamic Featured Image Unspecified Vulnerability (1.0.3)