summaryrefslogtreecommitdiff
path: root/tests/admin_views
diff options
context:
space:
mode:
authorBaptiste Mispelon <bmispelon@gmail.com>2015-03-08 11:50:32 +0100
committerTim Graham <timograham@gmail.com>2015-03-09 10:17:54 -0400
commit2654e1b93923bac55f12b4e66c5e39b16695ace5 (patch)
tree339c5e65ac69a07dd58bee6e4831a23bc87e7500 /tests/admin_views
parent5a3b53112193cc74d2043e09894dd29a763b1105 (diff)
[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields
Diffstat (limited to 'tests/admin_views')
-rw-r--r--tests/admin_views/admin.py2
-rw-r--r--tests/admin_views/models.py7
-rw-r--r--tests/admin_views/tests.py9
3 files changed, 17 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 9a05df614a..15c1384635 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -860,7 +860,7 @@ class GetFormsetsArgumentCheckingAdmin(admin.ModelAdmin):
site = admin.AdminSite(name="admin")
site.register(Article, ArticleAdmin)
site.register(CustomArticle, CustomArticleAdmin)
-site.register(Section, save_as=True, inlines=[ArticleInline])
+site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property'])
site.register(ModelWithStringPrimaryKey)
site.register(Color)
site.register(Thing, ThingAdmin)
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 341b7aec65..f41b4de088 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -22,6 +22,13 @@ class Section(models.Model):
"""
name = models.CharField(max_length=100)
+ @property
+ def name_property(self):
+ """
+ A property that simply returns the name. Used to test #24461
+ """
+ return self.name
+
@python_2_unicode_compatible
class Article(models.Model):
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 96da7c438e..e61064211c 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -3862,6 +3862,15 @@ class ReadonlyTest(TestCase):
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
+ def test_correct_autoescaping(self):
+ """
+ Make sure that non-field readonly elements are properly autoescaped (#24461)
+ """
+ section = Section.objects.create(name='<a>evil</a>')
+ response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
+ self.assertNotContains(response, "<a>evil</a>", status_code=200)
+ self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
+
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
class LimitChoicesToInAdminTest(TestCase):
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 03:24:41 +0000