summaryrefslogtreecommitdiff
path: root/tests/admin_views
diff options
context:
space:
mode:
Diffstat (limited to 'tests/admin_views')
-rw-r--r--tests/admin_views/admin.py2
-rw-r--r--tests/admin_views/models.py7
-rw-r--r--tests/admin_views/tests.py9
3 files changed, 17 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 263008aeb5..d070e5a55e 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -870,7 +870,7 @@ site = admin.AdminSite(name="admin")
site.site_url = '/my-site-url/'
site.register(Article, ArticleAdmin)
site.register(CustomArticle, CustomArticleAdmin)
-site.register(Section, save_as=True, inlines=[ArticleInline])
+site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property'])
site.register(ModelWithStringPrimaryKey)
site.register(Color)
site.register(Thing, ThingAdmin)
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 07f6864cf5..845d3d9ee2 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -22,6 +22,13 @@ class Section(models.Model):
"""
name = models.CharField(max_length=100)
+ @property
+ def name_property(self):
+ """
+ A property that simply returns the name. Used to test #24461
+ """
+ return self.name
+
@python_2_unicode_compatible
class Article(models.Model):
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 391122ef07..44490f7a7d 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4644,6 +4644,15 @@ class ReadonlyTest(TestCase):
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
+ def test_correct_autoescaping(self):
+ """
+ Make sure that non-field readonly elements are properly autoescaped (#24461)
+ """
+ section = Section.objects.create(name='<a>evil</a>')
+ response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
+ self.assertNotContains(response, "<a>evil</a>", status_code=200)
+ self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
+
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'],
ROOT_URLCONF="admin_views.urls")
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 04:50:14 +0000