From 1966786d2dde73e17f39cf340eb33fcb5d73904e Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Wed, 9 Feb 2011 02:48:48 +0000 Subject: [1.1.X] Fixed security issue in AdminFileWidget. Release and disclosure forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- tests/regressiontests/admin_widgets/tests.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'tests/regressiontests/admin_widgets/tests.py') diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py index 64e12e3eaa..e69e5d2b71 100644 --- a/tests/regressiontests/admin_widgets/tests.py +++ b/tests/regressiontests/admin_widgets/tests.py @@ -154,3 +154,19 @@ class AdminForeignKeyRawIdWidget(DjangoTestCase): post_data) self.assertContains(response, 'Select a valid choice. That choice is not one of the available choices.') + +class AdminFileWidgetTest(DjangoTestCase): + def test_render_escapes_html(self): + class StrangeFieldFile(object): + url = "something?chapter=1§=2©=3&lang=en" + + def __unicode__(self): + return u'''something
.jpg''' + + widget = widgets.AdminFileWidget() + field = StrangeFieldFile() + output = widget.render('myfile', field) + self.assertFalse(field.url in output) + self.assertTrue(u'href="something?chapter=1&sect=2&copy=3&lang=en"' in output) + self.assertFalse(unicode(field) in output) + self.assertTrue(u'something<div onclick="alert('oops')">.jpg' in output) -- cgit v1.3