Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

author: Jon Dufresne <jon.dufresne@gmail.com> 2020-05-26 09:51:02 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-06-03 09:23:00 +0200
commit: 2dd4d110c159d0c81dff42eaead2c378a0998735 (patch)
tree: 882d7a84a709dbc73e63c684bdbcdf2449d7dec1 /django/contrib/admin/widgets.py
parent: 81dc710571b773557170cce9764fff83b6dfd8ae (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 1ec7c70abd..59d1004d2d 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -12,7 +12,7 @@ from django.db.models import CASCADE
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from django.utils.html import smart_urlquote
-from django.utils.safestring import mark_safe
+from django.utils.http import urlencode
 from django.utils.text import Truncator
 from django.utils.translation import get_language, gettext as _
 
@@ -145,8 +145,8 @@ class ForeignKeyRawIdWidget(forms.TextInput):
 
             params = self.url_parameters()
             if params:
-                related_url += '?' + '&amp;'.join('%s=%s' % (k, v) for k, v in params.items())
-            context['related_url'] = mark_safe(related_url)
+                related_url += '?' + urlencode(params)
+            context['related_url'] = related_url
             context['link_title'] = _('Lookup')
             # The JavaScript code looks for this class.
             context['widget']['attrs'].setdefault('class', 'vForeignKeyRawIdAdminField')
author	Jon Dufresne <jon.dufresne@gmail.com>	2020-05-26 09:51:02 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-06-03 09:23:00 +0200
commit	2dd4d110c159d0c81dff42eaead2c378a0998735 (patch)
tree	882d7a84a709dbc73e63c684bdbcdf2449d7dec1 /django/contrib/admin/widgets.py
parent	81dc710571b773557170cce9764fff83b6dfd8ae (diff)