summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2011-02-09 02:44:16 +0000
committerCarl Meyer <carl@oddbird.net>2011-02-09 02:44:16 +0000
commit1f814a9547842dcfabdae09573055984af9d3fab (patch)
treecbe5a90cf0fa8574127423c405c17d318c93eed8
parent194566480b15cf4e294d3f03ff587019b74044b2 (diff)
[1.2.X] Fixed security issue in AdminFileWidget. Disclosure and release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat
-rw-r--r--django/contrib/admin/widgets.py2
-rw-r--r--tests/regressiontests/admin_widgets/tests.py16
2 files changed, 17 insertions, 1 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 516869f1ef..472f69dcf0 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -96,7 +96,7 @@ class AdminFileWidget(forms.FileInput):
output = []
if value and hasattr(value, "url"):
output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
- (_('Currently:'), value.url, value, _('Change:')))
+ (_('Currently:'), escape(value.url), escape(value), _('Change:')))
output.append(super(AdminFileWidget, self).render(name, value, attrs))
return mark_safe(u''.join(output))
diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py
index e43ab83e9d..cf3f965c14 100644
--- a/tests/regressiontests/admin_widgets/tests.py
+++ b/tests/regressiontests/admin_widgets/tests.py
@@ -239,6 +239,22 @@ class AdminFileWidgetTest(DjangoTestCase):
'<input type="file" name="test" />',
)
+ def test_render_escapes_html(self):
+ class StrangeFieldFile(object):
+ url = "something?chapter=1&sect=2&copy=3&lang=en"
+
+ def __unicode__(self):
+ return u'''something<div onclick="alert('oops')">.jpg'''
+
+ widget = AdminFileWidget()
+ field = StrangeFieldFile()
+ output = widget.render('myfile', field)
+ self.assertFalse(field.url in output)
+ self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
+ self.assertFalse(unicode(field) in output)
+ self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
+
+
class ForeignKeyRawIdWidgetTest(DjangoTestCase):
def test_render(self):
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 18:08:02 +0000