[3.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

author: Jon Dufresne <jon.dufresne@gmail.com> 2020-05-26 09:51:02 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-06-03 09:32:35 +0200
commit: 1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (patch)
tree: 5bfe03d368a683e3b08504de32a14d3d309f7f8b /django
parent: 256d29710193f7a2f1e92abe96c94d036f73edc6 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 7db57f4098..816f848ff0 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -12,7 +12,7 @@ from django.db.models.deletion import CASCADE
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from django.utils.html import smart_urlquote
-from django.utils.safestring import mark_safe
+from django.utils.http import urlencode
 from django.utils.text import Truncator
 from django.utils.translation import get_language, gettext as _
 
@@ -150,8 +150,8 @@ class ForeignKeyRawIdWidget(forms.TextInput):
 
             params = self.url_parameters()
             if params:
-                related_url += '?' + '&amp;'.join('%s=%s' % (k, v) for k, v in params.items())
-            context['related_url'] = mark_safe(related_url)
+                related_url += '?' + urlencode(params)
+            context['related_url'] = related_url
             context['link_title'] = _('Lookup')
             # The JavaScript code looks for this class.
             context['widget']['attrs'].setdefault('class', 'vForeignKeyRawIdAdminField')
author	Jon Dufresne <jon.dufresne@gmail.com>	2020-05-26 09:51:02 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-06-03 09:32:35 +0200
commit	1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (patch)
tree	5bfe03d368a683e3b08504de32a14d3d309f7f8b /django
parent	256d29710193f7a2f1e92abe96c94d036f73edc6 (diff)