[1.2.X] Fixed security issue in AdminFileWidget. Disclosure and release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-07-04 01:39:20 +00:00 · 2011-02-09 02:44:16 +00:00 · 2011-02-09 02:44:16 +00:00 · 1f814a9547
commit 1f814a9547
parent 194566480b
2 changed files with 17 additions and 1 deletions
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@ -96,7 +96,7 @@ class AdminFileWidget(forms.FileInput):
        output = []
        if value and hasattr(value, "url"):
            output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
-                (_('Currently:'), value.url, value, _('Change:')))
+                (_('Currently:'), escape(value.url), escape(value), _('Change:')))
        output.append(super(AdminFileWidget, self).render(name, value, attrs))
        return mark_safe(u''.join(output))

--- a/tests/regressiontests/admin_widgets/tests.py
+++ b/tests/regressiontests/admin_widgets/tests.py
@ -239,6 +239,22 @@ class AdminFileWidgetTest(DjangoTestCase):
            '<input type="file" name="test" />',
        )

+    def test_render_escapes_html(self):
+        class StrangeFieldFile(object):
+            url = "something?chapter=1&sect=2&copy=3&lang=en"
+
+            def __unicode__(self):
+                return u'''something<div onclick="alert('oops')">.jpg'''
+
+        widget = AdminFileWidget()
+        field = StrangeFieldFile()
+        output = widget.render('myfile', field)
+        self.assertFalse(field.url in output)
+        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
+        self.assertFalse(unicode(field) in output)
+        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
+
+

 class ForeignKeyRawIdWidgetTest(DjangoTestCase):
    def test_render(self):