summaryrefslogtreecommitdiff
path: root/tests/admin_widgets
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2024-07-10 20:30:12 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-06 08:51:22 +0200
commitbd807c0c25ab69361a4c08edcc1cf04d4652aa0a (patch)
treeb9aa620ad5a6c747ee4b9aae9aef0f18c479347b /tests/admin_widgets
parent0c1a8909164d8f2846322efb1143b72ad1616bd8 (diff)
[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Diffstat (limited to 'tests/admin_widgets')
-rw-r--r--tests/admin_widgets/tests.py7
1 files changed, 6 insertions, 1 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index 6f009a6f3f..467e2b558d 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -462,7 +462,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
class AdminURLWidgetTest(SimpleTestCase):
def test_get_context_validates_url(self):
w = widgets.AdminURLFieldWidget()
- for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
+ for invalid in [
+ "",
+ "/not/a/full/url/",
+ 'javascript:alert("Danger XSS!")',
+ "http://" + "한.글." * 1_000_000 + "com",
+ ]:
with self.subTest(url=invalid):
self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])