summaryrefslogtreecommitdiff
path: root/tests/utils_tests/test_http.py
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-12-03 16:14:00 -0500
committerTim Graham <timograham@gmail.com>2015-01-13 13:03:06 -0500
commit69b5e667385db9ed5e61917a58a75f97b6a97e68 (patch)
tree96ad2815aa8da99414f13e063ab8be24edbb4d48 /tests/utils_tests/test_http.py
parent316b8d49746933d1845d600314b002d9b64d3e3d (diff)
Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'tests/utils_tests/test_http.py')
-rw-r--r--tests/utils_tests/test_http.py3
1 files changed, 2 insertions, 1 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index b3e2c7b8d3..ac103f15d6 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -109,7 +109,8 @@ class TestUtilsHttp(unittest.TestCase):
'http:/\//example.com',
'http:\/example.com',
'http:/\example.com',
- 'javascript:alert("XSS")'):
+ 'javascript:alert("XSS")',
+ '\njavascript:alert(x)'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
'/view/?param=https://example.com',
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 03:06:02 +0000