diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:06:00 -0500 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2013-08-13 11:06:00 -0500 |
| commit | bfbae15c669beab335400ab51a060e3d7d8e4c7a (patch) | |
| tree | 7be857e95940dee50630817faaae894c09af799b /tests/admin_widgets | |
| parent | 79594b40c087c19fecc72af042c835b11a519b78 (diff) | |
Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'tests/admin_widgets')
| -rw-r--r-- | tests/admin_widgets/tests.py | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index d275c7669e..3184c7150b 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -321,18 +321,24 @@ class AdminURLWidgetTest(DjangoTestCase): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>' + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>' ) def test_render_quoting(self): + # WARNING: Don't use assertHTMLEqual in that testcase! + # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' ) - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')), - '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + self.assertEqual( + w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'), + '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' + ) + self.assertEqual( + w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'), + '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>' ) |