diff options
| author | Tim Graham <timograham@gmail.com> | 2016-07-06 15:41:06 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-07-15 09:23:32 -0400 |
| commit | d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 (patch) | |
| tree | caffc2e8db737972ec4d8d48961f506e43090336 /tests/admin_views | |
| parent | ab2f5f764a2f6db97e23cccd5c4f5abbb43d1caf (diff) | |
[1.9.x] Fixed XSS in admin's add/change related popup.
This is a security fix.
Diffstat (limited to 'tests/admin_views')
| -rw-r--r-- | tests/admin_views/models.py | 4 | ||||
| -rw-r--r-- | tests/admin_views/tests.py | 9 |
2 files changed, 12 insertions, 1 deletions
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index aa91eef57e..f1c77e2872 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -17,6 +17,7 @@ from django.db import models from django.utils.encoding import python_2_unicode_compatible +@python_2_unicode_compatible class Section(models.Model): """ A simple section that links to articles, to test linking to related items @@ -24,6 +25,9 @@ class Section(models.Model): """ name = models.CharField(max_length=100) + def __str__(self): + return self.name + @property def name_property(self): """ diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 31e4326ff7..bf419678a0 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -4625,8 +4625,10 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase): """ list_editable foreign keys have add/change popups. """ + from selenium.webdriver.support.ui import Select s1 = Section.objects.create(name='Test section') Article.objects.create( + title='foo', content='<p>Middle content</p>', date=datetime.datetime(2008, 3, 18, 11, 54, 58), section=s1, @@ -4638,8 +4640,13 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase): self.wait_for_popup() self.selenium.switch_to.window(self.selenium.window_handles[-1]) self.wait_for_text('#content h1', 'Change section') - self.selenium.close() + name_input = self.selenium.find_element_by_id('id_name') + name_input.clear() + name_input.send_keys('<i>edited section</i>') + self.selenium.find_element_by_xpath('//input[@value="Save"]').click() self.selenium.switch_to.window(self.selenium.window_handles[0]) + select = Select(self.selenium.find_element_by_id('id_form-0-section')) + self.assertEqual(select.first_selected_option.text, '<i>edited section</i>') # Add popup self.selenium.find_element_by_id('add_id_form-0-section').click() |