From 1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 Mon Sep 17 00:00:00 2001 From: Jon Dufresne Date: Tue, 26 May 2020 09:51:02 +0200 Subject: [3.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. --- tests/admin_widgets/tests.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'tests/admin_widgets/tests.py') diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index 7aa597a87d..7d3d71181e 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -22,6 +22,7 @@ from django.utils import translation from .models import ( Advisor, Album, Band, Bee, Car, Company, Event, Honeycomb, Individual, Inventory, Member, MyFileField, Profile, School, Student, + UnsafeLimitChoicesTo, ) from .widgetadmin import site as widget_admin_site @@ -586,6 +587,16 @@ class ForeignKeyRawIdWidgetTest(TestCase): 'Hidden' % {'pk': hidden.pk} ) + def test_render_unsafe_limit_choices_to(self): + rel = UnsafeLimitChoicesTo._meta.get_field('band').remote_field + w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site) + self.assertHTMLEqual( + w.render('test', None), + '\n' + '' + ) + @override_settings(ROOT_URLCONF='admin_widgets.urls') class ManyToManyRawIdWidgetTest(TestCase): -- cgit v1.3