Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2017-08-09 21:12:37 -0400
committer: Tim Graham <timograham@gmail.com> 2017-09-05 10:58:38 -0400
commit: 46e2b9e059e617afe6fe56da9f132568a7e6b198 (patch)
tree: 7856e671b8a8ef84c11bce51f973fd58ece3a663 /tests
parent: 73b6d027472fbbf823da4a084cdb9fb12e30dc60 (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/tests/view_tests/tests/test_debug.py b/tests/view_tests/tests/test_debug.py
index 8de484d6a9..71c60210e4 100644
--- a/tests/view_tests/tests/test_debug.py
+++ b/tests/view_tests/tests/test_debug.py
@@ -349,10 +349,10 @@ class ExceptionReporterTests(SimpleTestCase):
         request = self.rf.get('/test_view/')
         try:
             try:
-                raise AttributeError('Top level')
+                raise AttributeError(mark_safe('<p>Top level</p>'))
             except AttributeError as explicit:
                 try:
-                    raise ValueError('Second exception') from explicit
+                    raise ValueError(mark_safe('<p>Second exception</p>')) from explicit
                 except ValueError:
                     raise IndexError(mark_safe('<p>Final exception</p>'))
         except Exception:
@@ -366,13 +366,13 @@ class ExceptionReporterTests(SimpleTestCase):
         html = reporter.get_traceback_html()
         # Both messages are twice on page -- one rendered as html,
         # one as plain text (for pastebin)
-        self.assertEqual(2, html.count(explicit_exc.format("Top level")))
-        self.assertEqual(2, html.count(implicit_exc.format("Second exception")))
+        self.assertEqual(2, html.count(explicit_exc.format('&lt;p&gt;Top level&lt;/p&gt;')))
+        self.assertEqual(2, html.count(implicit_exc.format('&lt;p&gt;Second exception&lt;/p&gt;')))
         self.assertEqual(10, html.count('&lt;p&gt;Final exception&lt;/p&gt;'))
 
         text = reporter.get_traceback_text()
-        self.assertIn(explicit_exc.format("Top level"), text)
-        self.assertIn(implicit_exc.format("Second exception"), text)
+        self.assertIn(explicit_exc.format('<p>Top level</p>'), text)
+        self.assertIn(implicit_exc.format('<p>Second exception</p>'), text)
         self.assertEqual(3, text.count('<p>Final exception</p>'))
 
     def test_reporting_frames_without_source(self):
author	Tim Graham <timograham@gmail.com>	2017-08-09 21:12:37 -0400
committer	Tim Graham <timograham@gmail.com>	2017-09-05 10:58:38 -0400
commit	46e2b9e059e617afe6fe56da9f132568a7e6b198 (patch)
tree	7856e671b8a8ef84c11bce51f973fd58ece3a663 /tests
parent	73b6d027472fbbf823da4a084cdb9fb12e30dc60 (diff)