Description
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Remediation
References
Related Vulnerabilities
ownCloud Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-5866)
WordPress Plugin WP Construction Mode Cross-Site Request Forgery (1.8)
MySQL CVE-2016-0650 Vulnerability (CVE-2016-0650)
WordPress Plugin BibleGet I/O Unspecified Vulnerability (3.4)
WordPress Plugin Social Gallery and Widget Security Bypass (2.2.5)