diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:06:41 -0500 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:06:41 -0500 |
| commit | cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560 (patch) | |
| tree | f1b6c5f5e956359de1ca25ca03ae867c4c5c99b7 | |
| parent | ae3535169af804352517b7fea94a42a1c9c4b762 (diff) | |
Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
| -rw-r--r-- | django/contrib/admin/widgets.py | 4 | ||||
| -rw-r--r-- | tests/admin_widgets/tests.py | 20 |
2 files changed, 15 insertions, 9 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index c4b15cdd6a..5773db6394 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -305,9 +305,9 @@ class AdminURLFieldWidget(forms.URLInput): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) - final_attrs = {'href': mark_safe(smart_urlquote(value))} + final_attrs = {'href': smart_urlquote(value)} html = format_html( - '<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>', + '<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>', _('Currently:'), flatatt(final_attrs), value, _('Change:'), html ) diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index 5a88df1e57..9f5abe0684 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -321,18 +321,24 @@ class AdminURLWidgetTest(DjangoTestCase): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>' + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>' ) def test_render_quoting(self): + # WARNING: Don't use assertHTMLEqual in that testcase! + # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' ) - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + ) + self.assertEqual( + w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'), + '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>' ) |
