[1.1.X] Fixed security issue in AdminFileWidget. Release and disclosure forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Carl Meyer <carl@oddbird.net> 2011-02-09 02:48:48 +0000
committer: Carl Meyer <carl@oddbird.net> 2011-02-09 02:48:48 +0000
commit: 1966786d2dde73e17f39cf340eb33fcb5d73904e (patch)
tree: c0e0dcb03a006dd8de7d49ce82f78ba8746dbf09 /django
parent: 570a32a047ea56265646217264b0d3dab1a14dbd (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 17067346f6..228b592fda 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -93,7 +93,7 @@ class AdminFileWidget(forms.FileInput):
         output = []
         if value and hasattr(value, "url"):
             output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
-                (_('Currently:'), value.url, value, _('Change:')))
+                (_('Currently:'), escape(value.url), escape(value), _('Change:')))
         output.append(super(AdminFileWidget, self).render(name, value, attrs))
         return mark_safe(u''.join(output))
author	Carl Meyer <carl@oddbird.net>	2011-02-09 02:48:48 +0000
committer	Carl Meyer <carl@oddbird.net>	2011-02-09 02:48:48 +0000
commit	1966786d2dde73e17f39cf340eb33fcb5d73904e (patch)
tree	c0e0dcb03a006dd8de7d49ce82f78ba8746dbf09 /django
parent	570a32a047ea56265646217264b0d3dab1a14dbd (diff)