I rushed out the 1.9.3 release and didn't realize I had made a mistake
in forgetting to remove the `.format()` call when processing the `next`
variable.

Thank you, again, to Santos Gallegos for pointing this out.

As a result I removed it and released version 1.9.4. Please update.

https://pypi.org/project/django-impersonate/1.9.4/

https://hg.code.netlandish.com/~petersanchez/django-impersonate/rev/33cb8c77262a474869ab94bcb82c5446baf3c228

Apologies for this mix up. Honestly I just wasn't paying attention as I
was slammed for time and trying to get this out asap.

Hi All,

Anyone using django-impersonate versions 1.9.2 and below (which as of
this writing is literally everyone using the app) needs to upgrade as
soon as they can to version 1.9.3, which I just pushed to pypi.

https://pypi.org/project/django-impersonate/1.9.3/

There was a XSS security vulnerability in previous versions. It requires
a specially crafted URL and an authorized user (a user who has access to
impersonate another user) to click on it. It can be used to run JS code
on the authorized users browser.

Please see the fix commit here:

Applied. Thanks!

Applied. Thanks.

Applied! Thanks.

Applied. Thanks!

Thanks! Pushed.

Peter

>+<p style="font-family: sans-serif; font-size: 14px; font-weight: normal; margin: 0; margin-bottom: 15px;"></p>

You're closing the p tag here (</p>)...

>+    Please click the link below:
>+    <a href="{{buildURL .confURL}}" class="btn btn-primary">{{buildURL .confURL}}</a>
>+</p>

And also here. You need to remove the first closing tag and resubmit
please.

I made some slight changes for alignment reasons but thank you for the
patch! It's been applied.

Peter

Applied! Thanks!

Peter