diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:04:21 -0500 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:04:21 -0500 |
| commit | 90363e388c61874add3f3557ee654a996ec75d78 (patch) | |
| tree | d72c44549047260640aaa24d1d97db96fb099ee6 | |
| parent | 1a274ccd6bc1afbdac80344c9b6e5810c1162b5f (diff) | |
Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
| -rw-r--r-- | django/contrib/admin/widgets.py | 4 | ||||
| -rw-r--r-- | tests/regressiontests/admin_widgets/tests.py | 20 |
2 files changed, 15 insertions, 9 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index 1e6277fb87..1635ea0085 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -310,9 +310,9 @@ class AdminURLFieldWidget(forms.TextInput): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) - final_attrs = {'href': mark_safe(smart_urlquote(value))} + final_attrs = {'href': smart_urlquote(value)} html = format_html( - '<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>', + '<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>', _('Currently:'), flatatt(final_attrs), value, _('Change:'), html ) diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py index fa599c618c..b3fff1fecc 100644 --- a/tests/regressiontests/admin_widgets/tests.py +++ b/tests/regressiontests/admin_widgets/tests.py @@ -299,18 +299,24 @@ class AdminURLWidgetTest(DjangoTestCase): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>' + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>' ) def test_render_quoting(self): + # WARNING: Don't use assertHTMLEqual in that testcase! + # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example.com/<sometag>some text</sometag>" /></p>' ) - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + ) + self.assertEqual( + w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'), + '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="text" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>' ) |