If an object is audit-logged, it will be shown stringified in the audit-log list (using it's __str__-method), and the audit-log's summary-field may also include the stringified object.
The summary-field may also contain other data from the object, data that may be supplied by input from a user.
Currently, the output is not HTML-escaped, which means that input from a user can result in an XSS exploit in the audit-log list page. The audit-log list uses datatables (javascript) to show the results of a JSON API call.
If an object is audit-logged, it will be shown stringified in the audit-log list (using it's
__str__-method), and the audit-log's summary-field may also include the stringified object.The summary-field may also contain other data from the object, data that may be supplied by input from a user.
Currently, the output is not HTML-escaped, which means that input from a user can result in an XSS exploit in the audit-log list page. The audit-log list uses datatables (javascript) to show the results of a JSON API call.