[1.9.x] Fixed XSS in admin's add/change related popup.

This is a security fix.

6 files changed, 41 insertions, 8 deletions

diff --git a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js
index 4ac9baa8ee..76cc952239 100644
--- a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js
+++ b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js
@@ -120,7 +120,7 @@
         var selects = django.jQuery(selectsSelector);
         selects.find('option').each(function() {
             if (this.value === objId) {
-                this.innerHTML = newRepr;
+                this.textContent = newRepr;
                 this.value = newId;
             }
         });
diff --git a/django/views/debug.py b/django/views/debug.py
index 7cff3eface..2629d345eb 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -631,13 +631,13 @@ TECHNICAL_500_TEMPLATE = ("""
       var s = link.getElementsByTagName('span')[0];
       var uarr = String.fromCharCode(0x25b6);
       var darr = String.fromCharCode(0x25bc);
-      s.innerHTML = s.innerHTML == uarr ? darr : uarr;
+      s.textContent = s.textContent == uarr ? darr : uarr;
       return false;
     }
     function switchPastebinFriendly(link) {
       s1 = "Switch to copy-and-paste view";
       s2 = "Switch back to interactive view";
-      link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
+      link.textContent = link.textContent.trim() == s1 ? s2: s1;
       toggle('browserTraceback', 'pastebinTraceback');
       return false;
     }
diff --git a/docs/releases/1.8.14.txt b/docs/releases/1.8.14.txt
index 6311172abc..31a304f7c0 100644
--- a/docs/releases/1.8.14.txt
+++ b/docs/releases/1.8.14.txt
@@ -2,9 +2,20 @@
 Django 1.8.14 release notes
 ===========================
 
-*Under development*
+*July 18, 2016*
 
-Django 1.8.14 fixes several bugs in 1.8.13.
+Django 1.8.14 fixes a security issue and a bug in 1.8.13.
+
+XSS in admin's add/change related popup
+=======================================
+
+Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
+admin's add/change related popup. ``Element.textContent`` is now used to
+prevent execution of the data.
+
+The debug view also used ``innerHTML``. Although a security issue wasn't
+identified there, out of an abundance of caution it's also updated to use
+``textContent``.
 
 Bugfixes
 ========
diff --git a/docs/releases/1.9.8.txt b/docs/releases/1.9.8.txt
index 8db5c3d01f..08ba5ae08f 100644
--- a/docs/releases/1.9.8.txt
+++ b/docs/releases/1.9.8.txt
@@ -2,9 +2,20 @@
 Django 1.9.8 release notes
 ==========================
 
-*Under development*
+*July 18, 2016*
 
-Django 1.9.8 fixes several bugs in 1.9.7.
+Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
+
+XSS in admin's add/change related popup
+=======================================
+
+Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
+admin's add/change related popup. ``Element.textContent`` is now used to
+prevent execution of the data.
+
+The debug view also used ``innerHTML``. Although a security issue wasn't
+identified there, out of an abundance of caution it's also updated to use
+``textContent``.
 
 Bugfixes
 ========
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index aa91eef57e..f1c77e2872 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -17,6 +17,7 @@ from django.db import models
 from django.utils.encoding import python_2_unicode_compatible
 
 
+@python_2_unicode_compatible
 class Section(models.Model):
     """
     A simple section that links to articles, to test linking to related items
@@ -24,6 +25,9 @@ class Section(models.Model):
     """
     name = models.CharField(max_length=100)
 
+    def __str__(self):
+        return self.name
+
     @property
     def name_property(self):
         """
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 31e4326ff7..bf419678a0 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4625,8 +4625,10 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
         """
         list_editable foreign keys have add/change popups.
         """
+        from selenium.webdriver.support.ui import Select
         s1 = Section.objects.create(name='Test section')
         Article.objects.create(
+            title='foo',
             content='<p>Middle content</p>',
             date=datetime.datetime(2008, 3, 18, 11, 54, 58),
             section=s1,
@@ -4638,8 +4640,13 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
         self.wait_for_popup()
         self.selenium.switch_to.window(self.selenium.window_handles[-1])
         self.wait_for_text('#content h1', 'Change section')
-        self.selenium.close()
+        name_input = self.selenium.find_element_by_id('id_name')
+        name_input.clear()
+        name_input.send_keys('<i>edited section</i>')
+        self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
         self.selenium.switch_to.window(self.selenium.window_handles[0])
+        select = Select(self.selenium.find_element_by_id('id_form-0-section'))
+        self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
 
         # Add popup
         self.selenium.find_element_by_id('add_id_form-0-section').click()