[1.10.x] Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2017-08-02 16:22:35 -0400
committer: Tim Graham <timograham@gmail.com> 2017-09-05 11:19:56 -0400
commit: 58e08e80e362db79eb0fd775dc81faad90dca47a (patch)
tree: 648f39c93bf68c965dc7664914d12b9ba9a99287 /tests
parent: fba3c96a7409eb44f30f8e3aa78a642ae8b86641 (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/tests/view_tests/tests/py3_test_debug.py b/tests/view_tests/tests/py3_test_debug.py
index 30201bae53..316179ae3e 100644
--- a/tests/view_tests/tests/py3_test_debug.py
+++ b/tests/view_tests/tests/py3_test_debug.py
@@ -9,6 +9,7 @@ error (raise ... from ...) can't be silenced using NOQA.
 import sys
 
 from django.test import RequestFactory, TestCase
+from django.utils.safestring import mark_safe
 from django.views.debug import ExceptionReporter
 
 
@@ -20,10 +21,10 @@ class Py3ExceptionReporterTests(TestCase):
         request = self.rf.get('/test_view/')
         try:
             try:
-                raise AttributeError('Top level')
+                raise AttributeError(mark_safe('<p>Top level</p>'))
             except AttributeError as explicit:
                 try:
-                    raise ValueError('Second exception') from explicit
+                    raise ValueError('<p>Second exception</p>') from explicit
                 except ValueError:
                     raise IndexError('Final exception')
         except Exception:
@@ -37,9 +38,9 @@ class Py3ExceptionReporterTests(TestCase):
         html = reporter.get_traceback_html()
         # Both messages are twice on page -- one rendered as html,
         # one as plain text (for pastebin)
-        self.assertEqual(2, html.count(explicit_exc.format("Top level")))
-        self.assertEqual(2, html.count(implicit_exc.format("Second exception")))
+        self.assertEqual(2, html.count(explicit_exc.format('&lt;p&gt;Top level&lt;/p&gt;')))
+        self.assertEqual(2, html.count(implicit_exc.format('&lt;p&gt;Second exception&lt;/p&gt;')))
 
         text = reporter.get_traceback_text()
-        self.assertIn(explicit_exc.format("Top level"), text)
-        self.assertIn(implicit_exc.format("Second exception"), text)
+        self.assertIn(explicit_exc.format('<p>Top level</p>'), text)
+        self.assertIn(implicit_exc.format('<p>Second exception</p>'), text)
author	Tim Graham <timograham@gmail.com>	2017-08-02 16:22:35 -0400
committer	Tim Graham <timograham@gmail.com>	2017-09-05 11:19:56 -0400
commit	58e08e80e362db79eb0fd775dc81faad90dca47a (patch)
tree	648f39c93bf68c965dc7664914d12b9ba9a99287 /tests
parent	fba3c96a7409eb44f30f8e3aa78a642ae8b86641 (diff)