diff options
| author | Jon Dufresne <jon.dufresne@gmail.com> | 2020-05-26 09:51:02 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-06-03 09:32:35 +0200 |
| commit | 1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (patch) | |
| tree | 5bfe03d368a683e3b08504de32a14d3d309f7f8b /tests/admin_widgets/models.py | |
| parent | 256d29710193f7a2f1e92abe96c94d036f73edc6 (diff) | |
[3.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.
Diffstat (limited to 'tests/admin_widgets/models.py')
| -rw-r--r-- | tests/admin_widgets/models.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/tests/admin_widgets/models.py b/tests/admin_widgets/models.py index b5025fdfd7..88bf2b8fca 100644 --- a/tests/admin_widgets/models.py +++ b/tests/admin_widgets/models.py @@ -27,6 +27,14 @@ class Band(models.Model): return self.name +class UnsafeLimitChoicesTo(models.Model): + band = models.ForeignKey( + Band, + models.CASCADE, + limit_choices_to={'name': '"&><escapeme'}, + ) + + class Album(models.Model): band = models.ForeignKey(Band, models.CASCADE) featuring = models.ManyToManyField(Band, related_name='featured') |
