Cross site scripting vulnerability in django-epiceditor（CVE-2017-6591）

Introduction

django-epiceditor

A django app that allows the easy addition of EpicEditor markdown editor to a django form field, whether in a custom app or the Django Admin.

The project url: https://pypi.python.org/pypi/django-epiceditor

Environment

django==1.10.6
django-epiceditor==0.2.3

Vulnerability reproduction

Your apps, in the form.py

from django import forms
from epiceditor.widgets import AdminEpicEditorWidget
from .models import FooModel
class FooModelForm(forms.ModelForm):
    title = forms.CharField(widget=AdminEpicEditorWidget())
    info = forms.CharField(widget=AdminEpicEditorWidget())
    class Meta:
        model = FooModel
        fields = "__all__"

Then enter django background page, if the field use widget AdminEpicEditorWidget

in editor:

click preview