summaryrefslogtreecommitdiff
path: root/tests/regressiontests/admin_widgets
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2011-02-09 02:48:48 +0000
committerCarl Meyer <carl@oddbird.net>2011-02-09 02:48:48 +0000
commit1966786d2dde73e17f39cf340eb33fcb5d73904e (patch)
treec0e0dcb03a006dd8de7d49ce82f78ba8746dbf09 /tests/regressiontests/admin_widgets
parent570a32a047ea56265646217264b0d3dab1a14dbd (diff)
[1.1.X] Fixed security issue in AdminFileWidget. Release and disclosure forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests/regressiontests/admin_widgets')
-rw-r--r--tests/regressiontests/admin_widgets/tests.py16
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py
index 64e12e3eaa..e69e5d2b71 100644
--- a/tests/regressiontests/admin_widgets/tests.py
+++ b/tests/regressiontests/admin_widgets/tests.py
@@ -154,3 +154,19 @@ class AdminForeignKeyRawIdWidget(DjangoTestCase):
post_data)
self.assertContains(response,
'Select a valid choice. That choice is not one of the available choices.')
+
+class AdminFileWidgetTest(DjangoTestCase):
+ def test_render_escapes_html(self):
+ class StrangeFieldFile(object):
+ url = "something?chapter=1&sect=2&copy=3&lang=en"
+
+ def __unicode__(self):
+ return u'''something<div onclick="alert('oops')">.jpg'''
+
+ widget = widgets.AdminFileWidget()
+ field = StrangeFieldFile()
+ output = widget.render('myfile', field)
+ self.assertFalse(field.url in output)
+ self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
+ self.assertFalse(unicode(field) in output)
+ self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 01:02:04 +0000