summaryrefslogtreecommitdiff
path: root/tests/admin_views
diff options
context:
space:
mode:
authorBaptiste Mispelon <bmispelon@gmail.com>2015-03-08 11:50:32 +0100
committerTim Graham <timograham@gmail.com>2015-03-09 10:15:12 -0400
commit35d68e8e766217924375e1a91533fee50159291c (patch)
treec56a28e971ef76f829ab0be93768625eac04c55d /tests/admin_views
parent980d604bf237b0e09a1c7754b74d1bb2bfed0b35 (diff)
[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields
This issue was fixed by refs #24464.
Diffstat (limited to 'tests/admin_views')
-rw-r--r--tests/admin_views/admin.py2
-rw-r--r--tests/admin_views/models.py7
-rw-r--r--tests/admin_views/tests.py9
3 files changed, 17 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index d7d4be86bc..158f42ea67 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -871,7 +871,7 @@ site = admin.AdminSite(name="admin")
site.site_url = '/my-site-url/'
site.register(Article, ArticleAdmin)
site.register(CustomArticle, CustomArticleAdmin)
-site.register(Section, save_as=True, inlines=[ArticleInline])
+site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property'])
site.register(ModelWithStringPrimaryKey)
site.register(Color)
site.register(Thing, ThingAdmin)
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 07f6864cf5..845d3d9ee2 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -22,6 +22,13 @@ class Section(models.Model):
"""
name = models.CharField(max_length=100)
+ @property
+ def name_property(self):
+ """
+ A property that simply returns the name. Used to test #24461
+ """
+ return self.name
+
@python_2_unicode_compatible
class Article(models.Model):
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 6425cb21df..925d8e6090 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4114,6 +4114,15 @@ class ReadonlyTest(TestCase):
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
+ def test_correct_autoescaping(self):
+ """
+ Make sure that non-field readonly elements are properly autoescaped (#24461)
+ """
+ section = Section.objects.create(name='<a>evil</a>')
+ response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
+ self.assertNotContains(response, "<a>evil</a>", status_code=200)
+ self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
+
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',),
ROOT_URLCONF="admin_views.urls")
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 23:57:58 +0000