From de67dedc771ad2edec15c1d00c083a1a084e1e89 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 3 Dec 2014 16:14:00 -0500 Subject: [1.7.x] Fixed is_safe_url() to handle leading whitespace. This is a security fix. Disclosure following shortly. --- tests/utils_tests/test_http.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index db24d1c9f2..3b3083baf0 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -107,7 +107,8 @@ class TestUtilsHttp(unittest.TestCase): 'http:/\//example.com', 'http:\/example.com', 'http:/\example.com', - 'javascript:alert("XSS")'): + 'javascript:alert("XSS")', + '\njavascript:alert(x)'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', '/view/?param=https://example.com', -- cgit v1.3