[1.7.x] Fixed is_safe_url() to handle leading whitespace.

This is a security fix. Disclosure following shortly.
author: Tim Graham <timograham@gmail.com> 2014-12-03 16:14:00 -0500
committer: Tim Graham <timograham@gmail.com> 2015-01-13 13:02:56 -0500
commit: de67dedc771ad2edec15c1d00c083a1a084e1e89 (patch)
tree: 8730d717445807b0950da15cfeabc7850740c6bd /tests/utils_tests/test_http.py
parent: 41b4bc73ee0da7b2e09f4af47fc1fd21144c710f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index db24d1c9f2..3b3083baf0 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -107,7 +107,8 @@ class TestUtilsHttp(unittest.TestCase):
                         'http:/\//example.com',
                         'http:\/example.com',
                         'http:/\example.com',
-                        'javascript:alert("XSS")'):
+                        'javascript:alert("XSS")',
+                        '\njavascript:alert(x)'):
             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
         for good_url in ('/view/?param=http://example.com',
                      '/view/?param=https://example.com',
author	Tim Graham <timograham@gmail.com>	2014-12-03 16:14:00 -0500
committer	Tim Graham <timograham@gmail.com>	2015-01-13 13:02:56 -0500
commit	de67dedc771ad2edec15c1d00c083a1a084e1e89 (patch)
tree	8730d717445807b0950da15cfeabc7850740c6bd /tests/utils_tests/test_http.py
parent	41b4bc73ee0da7b2e09f4af47fc1fd21144c710f (diff)