[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.

4 files changed, 33 insertions, 3 deletions

diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt
index af0907816d..7f54da1474 100644
--- a/docs/releases/1.7.6.txt
+++ b/docs/releases/1.7.6.txt
@@ -2,9 +2,23 @@
 Django 1.7.6 release notes
 ==========================
 
-*Under Development*
+*March 9, 2015*
 
-Django 1.7.6 fixes several bugs in 1.7.5.
+Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
+
+Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
+========================================================================
+
+The :attr:`ModelAdmin.readonly_fields
+<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
+admin allows displaying model fields and model attributes. While the former
+were correctly escaped, the latter were not. Thus untrusted content could be
+injected into the admin, presenting an exploitation vector for XSS attacks.
+
+In this vulnerability, every model attribute used in ``readonly_fields`` that
+is not an actual model field (e.g. a :class:`property`) will **fail to be
+escaped** even if that attribute is not marked as safe. In this release,
+autoescaping is now correctly applied.
 
 Bugfixes
 ========
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index d7d4be86bc..158f42ea67 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -871,7 +871,7 @@ site = admin.AdminSite(name="admin")
 site.site_url = '/my-site-url/'
 site.register(Article, ArticleAdmin)
 site.register(CustomArticle, CustomArticleAdmin)
-site.register(Section, save_as=True, inlines=[ArticleInline])
+site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property'])
 site.register(ModelWithStringPrimaryKey)
 site.register(Color)
 site.register(Thing, ThingAdmin)
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 07f6864cf5..845d3d9ee2 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -22,6 +22,13 @@ class Section(models.Model):
     """
     name = models.CharField(max_length=100)
 
+    @property
+    def name_property(self):
+        """
+        A property that simply returns the name. Used to test #24461
+        """
+        return self.name
+
 
 @python_2_unicode_compatible
 class Article(models.Model):
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 6425cb21df..925d8e6090 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4114,6 +4114,15 @@ class ReadonlyTest(TestCase):
         self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
         self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
 
+    def test_correct_autoescaping(self):
+        """
+        Make sure that non-field readonly elements are properly autoescaped (#24461)
+        """
+        section = Section.objects.create(name='<a>evil</a>')
+        response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
+        self.assertNotContains(response, "<a>evil</a>", status_code=200)
+        self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
+
 
 @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',),
     ROOT_URLCONF="admin_views.urls")